diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/pom.xml b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/pom.xml
index 9c99593bf..ac9856240 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/pom.xml
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/pom.xml
@@ -94,6 +94,12 @@
guice
+
+
+ com.google.inject.extensions
+ guice-assistedinject
+
+
com.google.guava
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderModule.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderModule.java
index 5ae0ea53f..e47ccf259 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderModule.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderModule.java
@@ -20,6 +20,8 @@
package org.apache.guacamole.auth.jdbc;
import com.google.inject.Scopes;
+import com.google.inject.assistedinject.FactoryModuleBuilder;
+
import javax.sql.DataSource;
import org.apache.guacamole.auth.jdbc.user.ModeledUserContext;
import org.apache.guacamole.auth.jdbc.connectiongroup.RootConnectionGroup;
@@ -38,6 +40,8 @@ import org.apache.guacamole.auth.jdbc.permission.SystemPermissionMapper;
import org.apache.guacamole.auth.jdbc.user.UserMapper;
import org.apache.guacamole.auth.jdbc.connectiongroup.ConnectionGroupService;
import org.apache.guacamole.auth.jdbc.connection.ConnectionService;
+import org.apache.guacamole.auth.jdbc.tunnel.AccessEnforcingDelegatingTunnel;
+import org.apache.guacamole.auth.jdbc.tunnel.AccessEnforcingDelegatingTunnelFactory;
import org.apache.guacamole.auth.jdbc.tunnel.GuacamoleTunnelService;
import org.apache.guacamole.auth.jdbc.security.PasswordEncryptionService;
import org.apache.guacamole.auth.jdbc.security.SHA256PasswordEncryptionService;
@@ -196,7 +200,14 @@ public class JDBCAuthenticationProviderModule extends MyBatisModule {
bind(UserGroupPermissionService.class);
bind(UserPermissionService.class);
bind(UserService.class);
-
+
+ // Bind Factories
+ install(new FactoryModuleBuilder()
+ .implement(
+ AccessEnforcingDelegatingTunnel.class,
+ AccessEnforcingDelegatingTunnel.class)
+ .build(AccessEnforcingDelegatingTunnelFactory.class));
+
}
}
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCEnvironment.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCEnvironment.java
index 763793d62..778d5b29f 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCEnvironment.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCEnvironment.java
@@ -227,4 +227,19 @@ public abstract class JDBCEnvironment extends DelegatingEnvironment {
*/
public abstract boolean trackExternalConnectionHistory() throws GuacamoleException;
+ /**
+ * Returns a boolean value representing whether access time windows should
+ * be enforced for active connections - i.e. whether a currently-connected
+ * user should be disconnected upon the closure of an access window, or
+ * when the user is disabled.
+ *
+ * @return
+ * True if a connected user should be disconnected upon an access time
+ * window closing, or the user being disabled.
+ *
+ * @throws GuacamoleException
+ * If guacamole.properties cannot be parsed.
+ */
+ public abstract boolean enforceAccessWindowsForActiveSessions() throws GuacamoleException;
+
}
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/activeconnection/ActiveConnectionDirectory.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/activeconnection/ActiveConnectionDirectory.java
index b0d6324aa..b9a149933 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/activeconnection/ActiveConnectionDirectory.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/activeconnection/ActiveConnectionDirectory.java
@@ -44,34 +44,40 @@ public class ActiveConnectionDirectory extends RestrictedObject
@Override
public ActiveConnection get(String identifier) throws GuacamoleException {
+ validateUserAccess();
return activeConnectionService.retrieveObject(getCurrentUser(), identifier);
}
@Override
public Collection getAll(Collection identifiers)
throws GuacamoleException {
+ validateUserAccess();
Collection objects = activeConnectionService.retrieveObjects(getCurrentUser(), identifiers);
return Collections.unmodifiableCollection(objects);
}
@Override
public Set getIdentifiers() throws GuacamoleException {
+ validateUserAccess();
return activeConnectionService.getIdentifiers(getCurrentUser());
}
@Override
public void add(ActiveConnection object) throws GuacamoleException {
+ validateUserAccess();
activeConnectionService.createObject(getCurrentUser(), object);
}
@Override
public void update(ActiveConnection object) throws GuacamoleException {
+ validateUserAccess();
TrackedActiveConnection connection = (TrackedActiveConnection) object;
activeConnectionService.updateObject(getCurrentUser(), connection);
}
@Override
public void remove(String identifier) throws GuacamoleException {
+ validateUserAccess();
activeConnectionService.deleteObject(getCurrentUser(), identifier);
}
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/RestrictedObject.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/RestrictedObject.java
index 66979d487..461ce5804 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/RestrictedObject.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/RestrictedObject.java
@@ -19,7 +19,13 @@
package org.apache.guacamole.auth.jdbc.base;
+import org.apache.guacamole.GuacamoleException;
+import org.apache.guacamole.GuacamoleUnauthorizedException;
+import org.apache.guacamole.auth.jdbc.JDBCEnvironment;
import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser;
+import org.apache.guacamole.auth.jdbc.user.ModeledUser;
+
+import com.google.inject.Inject;
/**
* Common base class for objects that are associated with the users that
@@ -33,6 +39,12 @@ public abstract class RestrictedObject {
*/
private ModeledAuthenticatedUser currentUser;
+ /**
+ * The environment of the Guacamole server.
+ */
+ @Inject
+ private JDBCEnvironment environment;
+
/**
* Initializes this object, associating it with the current authenticated
* user and populating it with data from the given model object
@@ -68,4 +80,39 @@ public abstract class RestrictedObject {
this.currentUser = currentUser;
}
+ /**
+ * Validate that the current user is within a valid access time window
+ * and not disabled. If the user account is disabled or not within a
+ * valid access window, a GuacamoleUnauthorizedException will be thrown.
+ *
+ * This method can be called by RestrictedObject implementations before
+ * any operation that's specific to the current logged in user, to make
+ * sure that their access is still valid and enabled.
+ *
+ * If accessWindowCheckEnabled is set to false, the check will be skipped,
+ * and GuacamoleUnauthorizedException will never be thrown.
+ *
+ * @throws GuacamoleException
+ * If the user is outside of a valid access window, the user is
+ * disabled, or an error occurs while trying to determine access time
+ * restriction configuration.
+ */
+ protected void validateUserAccess() throws GuacamoleException {
+
+ // If access windows shouldn't be checked for active sessions, skip
+ // this check entirely
+ if (!environment.enforceAccessWindowsForActiveSessions())
+ return;
+
+ // If the user is outside of a valid access time window or disabled,
+ // throw an exception to immediately log them out
+ ModeledUser modeledUser = getCurrentUser().getUser();
+ if (
+ !modeledUser.isAccountAccessible()
+ || !modeledUser.isAccountValid()
+ || modeledUser.isDisabled()
+ )
+ throw new GuacamoleUnauthorizedException("Permission Denied.");
+ }
+
}
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/connection/ConnectionDirectory.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/connection/ConnectionDirectory.java
index 52a127df4..54ca79033 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/connection/ConnectionDirectory.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/connection/ConnectionDirectory.java
@@ -45,12 +45,14 @@ public class ConnectionDirectory extends RestrictedObject
@Override
public Connection get(String identifier) throws GuacamoleException {
+ validateUserAccess();
return connectionService.retrieveObject(getCurrentUser(), identifier);
}
@Override
@Transactional
public Collection getAll(Collection identifiers) throws GuacamoleException {
+ validateUserAccess();
Collection objects = connectionService.retrieveObjects(getCurrentUser(), identifiers);
return Collections.unmodifiableCollection(objects);
}
@@ -58,18 +60,21 @@ public class ConnectionDirectory extends RestrictedObject
@Override
@Transactional
public Set getIdentifiers() throws GuacamoleException {
+ validateUserAccess();
return connectionService.getIdentifiers(getCurrentUser());
}
@Override
@Transactional
public void add(Connection object) throws GuacamoleException {
+ validateUserAccess();
connectionService.createObject(getCurrentUser(), object);
}
@Override
@Transactional
public void update(Connection object) throws GuacamoleException {
+ validateUserAccess();
ModeledConnection connection = (ModeledConnection) object;
connectionService.updateObject(getCurrentUser(), connection);
}
@@ -77,6 +82,7 @@ public class ConnectionDirectory extends RestrictedObject
@Override
@Transactional
public void remove(String identifier) throws GuacamoleException {
+ validateUserAccess();
connectionService.deleteObject(getCurrentUser(), identifier);
}
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/connectiongroup/ConnectionGroupDirectory.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/connectiongroup/ConnectionGroupDirectory.java
index 9f3930597..030432793 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/connectiongroup/ConnectionGroupDirectory.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/connectiongroup/ConnectionGroupDirectory.java
@@ -45,12 +45,14 @@ public class ConnectionGroupDirectory extends RestrictedObject
@Override
public ConnectionGroup get(String identifier) throws GuacamoleException {
+ validateUserAccess();
return connectionGroupService.retrieveObject(getCurrentUser(), identifier);
}
@Override
@Transactional
public Collection getAll(Collection identifiers) throws GuacamoleException {
+ validateUserAccess();
Collection objects = connectionGroupService.retrieveObjects(getCurrentUser(), identifiers);
return Collections.unmodifiableCollection(objects);
}
@@ -58,18 +60,21 @@ public class ConnectionGroupDirectory extends RestrictedObject
@Override
@Transactional
public Set getIdentifiers() throws GuacamoleException {
+ validateUserAccess();
return connectionGroupService.getIdentifiers(getCurrentUser());
}
@Override
@Transactional
public void add(ConnectionGroup object) throws GuacamoleException {
+ validateUserAccess();
connectionGroupService.createObject(getCurrentUser(), object);
}
@Override
@Transactional
public void update(ConnectionGroup object) throws GuacamoleException {
+ validateUserAccess();
ModeledConnectionGroup connectionGroup = (ModeledConnectionGroup) object;
connectionGroupService.updateObject(getCurrentUser(), connectionGroup);
}
@@ -77,6 +82,7 @@ public class ConnectionGroupDirectory extends RestrictedObject
@Override
@Transactional
public void remove(String identifier) throws GuacamoleException {
+ validateUserAccess();
connectionGroupService.deleteObject(getCurrentUser(), identifier);
}
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/sharingprofile/SharingProfileDirectory.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/sharingprofile/SharingProfileDirectory.java
index 632557052..57ccb6d63 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/sharingprofile/SharingProfileDirectory.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/sharingprofile/SharingProfileDirectory.java
@@ -44,12 +44,14 @@ public class SharingProfileDirectory extends RestrictedObject
@Override
public SharingProfile get(String identifier) throws GuacamoleException {
+ validateUserAccess();
return sharingProfileService.retrieveObject(getCurrentUser(), identifier);
}
@Override
@Transactional
public Collection getAll(Collection identifiers) throws GuacamoleException {
+ validateUserAccess();
return Collections.unmodifiableCollection(
sharingProfileService.retrieveObjects(getCurrentUser(), identifiers)
);
@@ -58,18 +60,21 @@ public class SharingProfileDirectory extends RestrictedObject
@Override
@Transactional
public Set getIdentifiers() throws GuacamoleException {
+ validateUserAccess();
return sharingProfileService.getIdentifiers(getCurrentUser());
}
@Override
@Transactional
public void add(SharingProfile object) throws GuacamoleException {
+ validateUserAccess();
sharingProfileService.createObject(getCurrentUser(), object);
}
@Override
@Transactional
public void update(SharingProfile object) throws GuacamoleException {
+ validateUserAccess();
ModeledSharingProfile sharingProfile = (ModeledSharingProfile) object;
sharingProfileService.updateObject(getCurrentUser(), sharingProfile);
}
@@ -77,6 +82,7 @@ public class SharingProfileDirectory extends RestrictedObject
@Override
@Transactional
public void remove(String identifier) throws GuacamoleException {
+ validateUserAccess();
sharingProfileService.deleteObject(getCurrentUser(), identifier);
}
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/tunnel/AbstractGuacamoleTunnelService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/tunnel/AbstractGuacamoleTunnelService.java
index 8c16363a6..f26b8ea13 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/tunnel/AbstractGuacamoleTunnelService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/tunnel/AbstractGuacamoleTunnelService.java
@@ -46,6 +46,7 @@ import org.apache.guacamole.GuacamoleResourceNotFoundException;
import org.apache.guacamole.GuacamoleSecurityException;
import org.apache.guacamole.GuacamoleServerException;
import org.apache.guacamole.GuacamoleUpstreamException;
+import org.apache.guacamole.auth.jdbc.JDBCEnvironment;
import org.apache.guacamole.auth.jdbc.connection.ConnectionMapper;
import org.apache.guacamole.net.GuacamoleSocket;
import org.apache.guacamole.net.GuacamoleTunnel;
@@ -63,6 +64,7 @@ import org.apache.guacamole.auth.jdbc.sharingprofile.ModeledSharingProfile;
import org.apache.guacamole.auth.jdbc.sharingprofile.SharingProfileParameterMapper;
import org.apache.guacamole.auth.jdbc.sharingprofile.SharingProfileParameterModel;
import org.apache.guacamole.auth.jdbc.user.RemoteAuthenticatedUser;
+import org.apache.guacamole.auth.jdbc.user.UserService;
import org.apache.guacamole.net.auth.GuacamoleProxyConfiguration;
import org.apache.guacamole.protocol.FailoverGuacamoleSocket;
import org.slf4j.Logger;
@@ -117,6 +119,24 @@ public abstract class AbstractGuacamoleTunnelService implements GuacamoleTunnelS
@Inject
private SharedConnectionMap connectionMap;
+ /**
+ * Service for fetching users.
+ */
+ @Inject
+ private UserService userService;
+
+ /**
+ * The environment of the Guacamole server.
+ */
+ @Inject
+ private JDBCEnvironment environment;
+
+ /**
+ * Provider for creating AccessEnforcingDelegatingTunnel instances.
+ */
+ @Inject
+ private AccessEnforcingDelegatingTunnelFactory accessEnforcingTunnelFactory;
+
/**
* All active connections through the tunnel having a given UUID.
*/
@@ -385,13 +405,21 @@ public abstract class AbstractGuacamoleTunnelService implements GuacamoleTunnelS
* connection, which MUST already be acquired via acquire(). The given
* client information will be passed to guacd when the connection is
* established.
- *
+ *
* The connection will be automatically released when it closes, or if it
* fails to establish entirely.
*
+ * If user access window restrictions are enabled for active sessions,
+ * they will be automatically enforced for any valid database users as the
+ * tunnel is used.
+ *
* @param activeConnection
* The active connection record of the connection in use.
*
+ * @param user
+ * The user record in the database for the user connecting to the
+ * connection, if any.
+ *
* @param info
* Information describing the Guacamole client connecting to the given
* connection.
@@ -412,8 +440,10 @@ public abstract class AbstractGuacamoleTunnelService implements GuacamoleTunnelS
* If an error occurs while the connection is being established, or
* while connection configuration information is being retrieved.
*/
- private GuacamoleTunnel assignGuacamoleTunnel(ActiveConnectionRecord activeConnection,
- GuacamoleClientInformation info, Map tokens,
+ private GuacamoleTunnel assignGuacamoleTunnel(
+ ActiveConnectionRecord activeConnection,
+ ModeledAuthenticatedUser user, GuacamoleClientInformation info,
+ Map tokens,
boolean interceptErrors) throws GuacamoleException {
// Record new active connection
@@ -476,12 +506,21 @@ public abstract class AbstractGuacamoleTunnelService implements GuacamoleTunnelS
getUnconfiguredGuacamoleSocket(connection.getGuacamoleProxyConfiguration(),
cleanupTask), config, info);
- // Assign and return new tunnel
+ // Assign new tunnel
+ GuacamoleTunnel tunnel;
if (interceptErrors)
- return activeConnection.assignGuacamoleTunnel(new FailoverGuacamoleSocket(socket), socket.getConnectionID());
+ tunnel = activeConnection.assignGuacamoleTunnel(new FailoverGuacamoleSocket(socket), socket.getConnectionID());
else
- return activeConnection.assignGuacamoleTunnel(socket, socket.getConnectionID());
-
+ tunnel = activeConnection.assignGuacamoleTunnel(socket, socket.getConnectionID());
+
+ // If there is an associated database user, and access window
+ // restrictions are enabled for active sessions, wrap the tunnel
+ // in order to check user login validity on every instruction read
+ if (user != null && environment.enforceAccessWindowsForActiveSessions()) {
+ tunnel = accessEnforcingTunnelFactory.create(tunnel, user);
+ }
+
+ return tunnel;
}
// Execute cleanup if socket could not be created
@@ -631,8 +670,10 @@ public abstract class AbstractGuacamoleTunnelService implements GuacamoleTunnelS
acquire(user, Collections.singletonList(connection), true);
// Connect only if the connection was successfully acquired
- ActiveConnectionRecord connectionRecord = new ActiveConnectionRecord(connectionMap, user, connection);
- return assignGuacamoleTunnel(connectionRecord, info, tokens, false);
+ ActiveConnectionRecord connectionRecord = new ActiveConnectionRecord(
+ connectionMap, user, connection);
+ return assignGuacamoleTunnel(
+ connectionRecord, user, info, tokens, false);
}
@@ -677,9 +718,10 @@ public abstract class AbstractGuacamoleTunnelService implements GuacamoleTunnelS
try {
// Connect to acquired child
- ActiveConnectionRecord connectionRecord = new ActiveConnectionRecord(connectionMap, user, connectionGroup, connection);
- GuacamoleTunnel tunnel = assignGuacamoleTunnel(connectionRecord,
- info, tokens, connections.size() > 1);
+ ActiveConnectionRecord connectionRecord = new ActiveConnectionRecord(
+ connectionMap, user, connectionGroup, connection);
+ GuacamoleTunnel tunnel = assignGuacamoleTunnel(
+ connectionRecord, user, info, tokens, connections.size() > 1);
// If session affinity is enabled, prefer this connection going forward
if (connectionGroup.isSessionAffinityEnabled())
@@ -736,7 +778,10 @@ public abstract class AbstractGuacamoleTunnelService implements GuacamoleTunnelS
user, definition.getActiveConnection(), definition.getSharingProfile());
// Connect to shared connection described by the created record
- GuacamoleTunnel tunnel = assignGuacamoleTunnel(connectionRecord, info, tokens, false);
+ GuacamoleTunnel tunnel = assignGuacamoleTunnel(
+ connectionRecord, userService.retrieveAuthenticatedUser(
+ user.getAuthenticationProvider(), user.getCredentials()),
+ info, tokens, false);
// Register tunnel, such that it is closed when the
// SharedConnectionDefinition is invalidated
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/tunnel/AccessEnforcingDelegatingTunnel.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/tunnel/AccessEnforcingDelegatingTunnel.java
new file mode 100644
index 000000000..5ee08330c
--- /dev/null
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/tunnel/AccessEnforcingDelegatingTunnel.java
@@ -0,0 +1,196 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.auth.jdbc.tunnel;
+
+import java.util.concurrent.atomic.AtomicReference;
+
+import javax.annotation.Nonnull;
+
+import org.apache.guacamole.GuacamoleException;
+import org.apache.guacamole.GuacamoleUnauthorizedException;
+import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser;
+import org.apache.guacamole.auth.jdbc.user.ModeledUser;
+import org.apache.guacamole.auth.jdbc.user.UserService;
+import org.apache.guacamole.io.GuacamoleReader;
+import org.apache.guacamole.net.DelegatingGuacamoleTunnel;
+import org.apache.guacamole.net.GuacamoleTunnel;
+import org.apache.guacamole.protocol.FilteredGuacamoleReader;
+import org.apache.guacamole.protocol.GuacamoleFilter;
+import org.apache.guacamole.protocol.GuacamoleInstruction;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.google.inject.Inject;
+import com.google.inject.assistedinject.Assisted;
+import com.google.inject.assistedinject.AssistedInject;
+
+/**
+ * A tunnel implementation that enforces access window restriction for the
+ * provided ModeledUser, throwing a GuacamoleUnauthorizedException if the
+ * user's configured access window has closed, or if the user has become
+ * disabled. All other tunnel implementation is delegated to the underlying
+ * tunnel object.
+ */
+public class AccessEnforcingDelegatingTunnel extends DelegatingGuacamoleTunnel {
+
+ /**
+ * Logger for this class.
+ */
+ private static final Logger logger = LoggerFactory.getLogger(
+ AccessEnforcingDelegatingTunnel.class);
+
+ /**
+ * The number of milliseconds between subsequent refreshes of the user
+ * from the DB.
+ */
+ private static final long USER_MODEL_REFRESH_INTERVAL = 10000;
+
+ /**
+ * The user who's access window restrictions should be applied for the
+ * wrapped tunnel.
+ */
+ private final AtomicReference user;
+
+ /**
+ * A thread that will continously refresh the user
+ */
+ private final Thread userRefreshThread;
+
+ /**
+ * A service to use for refreshing the user from the DB.
+ */
+ @Inject
+ private UserService userService;
+
+ /**
+ * Create a new tunnel that will enforce the access window restrictions of
+ * the provided user, during usage of the provided tunnel.
+ *
+ * @param tunnel
+ * The tunnel to delegate to.
+ *
+ * @param modeledAuthenticatedUser
+ * The user whose access restrictions should be applied.
+ *
+ */
+ @AssistedInject
+ public AccessEnforcingDelegatingTunnel(
+ @Nonnull @Assisted GuacamoleTunnel tunnel,
+ @Nonnull @Assisted ModeledAuthenticatedUser modeledAuthenticatedUser) {
+
+ super(tunnel);
+ this.user = new AtomicReference<>(modeledAuthenticatedUser.getUser());
+
+ this.userRefreshThread = new Thread(() -> {
+ while (true) {
+
+ try {
+
+ // Fetch an up-to-date user record from the DB to ensure
+ // that any access restrictions modified while this tunnel
+ // is open will be taken into account
+ this.user.set(userService.retrieveUser(
+ modeledAuthenticatedUser.getAuthenticationProvider(),
+ modeledAuthenticatedUser));
+ }
+
+ // If an error occurs while trying to fetch the updated user,
+ // log the warning / exception and stop the refresh thread
+ catch (GuacamoleException e) {
+
+ logger.warn(
+ "Aborting user refresh thread due to error: {}",
+ e.getMessage());
+ logger.debug(
+ "Exception caught while attempting to refresh user.", e);
+
+ return;
+ }
+
+ try {
+
+ // Wait a bit before refreshing the user record again
+ Thread.sleep(USER_MODEL_REFRESH_INTERVAL);
+ }
+
+ // If interrupted by the tunnel, exit immediately
+ catch (InterruptedException e) {
+ return;
+ }
+ }
+ });
+ }
+
+ @Override
+ public GuacamoleReader acquireReader() {
+
+ // Start periodically refreshing the user record
+ userRefreshThread.start();
+
+ // Filter received instructions, checking if the user's login
+ // is still valid for each one. If the login is invalid,
+ // log them out immediately and close the tunnel.
+ return new FilteredGuacamoleReader(
+ super.acquireReader(),
+ new GuacamoleFilter() {
+
+ @Override
+ public GuacamoleInstruction filter(
+ GuacamoleInstruction instruction) throws GuacamoleException {
+
+ // The user record, at most USER_MODEL_REFRESH_INTERVAL
+ // milliseconds old
+ ModeledUser modeledUser = user.get();
+
+ // If the user is outside of a valid access time window,
+ // or disabled, throw an exception to immediately log them out
+ if (
+ !modeledUser.isAccountAccessible()
+ || !modeledUser.isAccountValid()
+ || modeledUser.isDisabled()
+ ) {
+ throw new GuacamoleUnauthorizedException("Permission Denied.");
+ }
+
+ return instruction;
+ }
+ }
+ );
+ }
+
+ @Override
+ public void releaseReader() {
+
+ // Interrupt the refresh thread; it will clean itself up
+ userRefreshThread.interrupt();
+
+ super.releaseReader();
+ }
+
+ @Override
+ public void close() throws GuacamoleException {
+
+ // Interrupt the refresh thread; it will clean itself up
+ userRefreshThread.interrupt();
+
+ super.close();
+ }
+
+}
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/tunnel/AccessEnforcingDelegatingTunnelFactory.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/tunnel/AccessEnforcingDelegatingTunnelFactory.java
new file mode 100644
index 000000000..0c6350766
--- /dev/null
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/tunnel/AccessEnforcingDelegatingTunnelFactory.java
@@ -0,0 +1,54 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.auth.jdbc.tunnel;
+
+import javax.annotation.Nonnull;
+
+import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser;
+import org.apache.guacamole.net.GuacamoleTunnel;
+
+/**
+ * A factory for creating AccessEnforcingDelegatingTunnel instances.
+ */
+public interface AccessEnforcingDelegatingTunnelFactory {
+
+ /**
+ * Create and return a new AccessEnforcingDelegatingTunnel wrapping the
+ * provided tunnel and enforcing the user restrictions associated with the
+ * provided user.
+ *
+ * @param tunnel
+ * The tunnel to delegate to.
+ *
+ * @param user
+ * The user whose access window restrictions should be applied for the
+ * wrapped tunel.
+ *
+ * @return
+ * A new AccessEnforcingDelegatingTunnel wrapping the provided tunnel
+ * and enforcing the user restrictions associated with the provided
+ * user.
+ *
+ */
+ public AccessEnforcingDelegatingTunnel create(
+ @Nonnull GuacamoleTunnel tunnel,
+ @Nonnull ModeledAuthenticatedUser user);
+
+}
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/tunnel/ActiveConnectionRecord.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/tunnel/ActiveConnectionRecord.java
index c3150ca97..df25159a9 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/tunnel/ActiveConnectionRecord.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/tunnel/ActiveConnectionRecord.java
@@ -21,6 +21,9 @@ package org.apache.guacamole.auth.jdbc.tunnel;
import java.util.Date;
import java.util.UUID;
+
+import javax.annotation.Nonnull;
+
import org.apache.guacamole.auth.jdbc.connection.ConnectionRecordModel;
import org.apache.guacamole.auth.jdbc.connection.ModeledConnection;
import org.apache.guacamole.auth.jdbc.connection.ModeledConnectionRecord;
@@ -377,6 +380,8 @@ public class ActiveConnectionRecord extends ModeledConnectionRecord {
* @return
* The newly-created tunnel associated with this connection record.
*/
+ @Nonnull
+ @SuppressWarnings("null")
public GuacamoleTunnel assignGuacamoleTunnel(final GuacamoleSocket socket,
String connectionID) {
@@ -400,6 +405,8 @@ public class ActiveConnectionRecord extends ModeledConnectionRecord {
this.connectionID = connectionID;
// Return newly-created tunnel
+ // NOTE: Guaranteed to be non-null since it was just set in this
+ // method, and there is no functionality to set it to null
return this.tunnel;
}
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserDirectory.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserDirectory.java
index dffd8e2ec..db8bea12f 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserDirectory.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserDirectory.java
@@ -45,12 +45,14 @@ public class UserDirectory extends RestrictedObject
@Override
public User get(String identifier) throws GuacamoleException {
+ validateUserAccess();
return userService.retrieveObject(getCurrentUser(), identifier);
}
@Override
@Transactional
public Collection getAll(Collection identifiers) throws GuacamoleException {
+ validateUserAccess();
Collection objects = userService.retrieveObjects(getCurrentUser(), identifiers);
return Collections.unmodifiableCollection(objects);
}
@@ -58,18 +60,21 @@ public class UserDirectory extends RestrictedObject
@Override
@Transactional
public Set getIdentifiers() throws GuacamoleException {
+ validateUserAccess();
return userService.getIdentifiers(getCurrentUser());
}
@Override
@Transactional
public void add(User object) throws GuacamoleException {
+ validateUserAccess();
userService.createObject(getCurrentUser(), object);
}
@Override
@Transactional
public void update(User object) throws GuacamoleException {
+ validateUserAccess();
ModeledUser user = (ModeledUser) object;
userService.updateObject(getCurrentUser(), user);
}
@@ -77,6 +82,7 @@ public class UserDirectory extends RestrictedObject
@Override
@Transactional
public void remove(String identifier) throws GuacamoleException {
+ validateUserAccess();
userService.deleteObject(getCurrentUser(), identifier);
}
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/usergroup/UserGroupDirectory.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/usergroup/UserGroupDirectory.java
index 911b8521f..f61af0bea 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/usergroup/UserGroupDirectory.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/usergroup/UserGroupDirectory.java
@@ -44,12 +44,14 @@ public class UserGroupDirectory extends RestrictedObject
@Override
public UserGroup get(String identifier) throws GuacamoleException {
+ validateUserAccess();
return userGroupService.retrieveObject(getCurrentUser(), identifier);
}
@Override
@Transactional
public Collection getAll(Collection identifiers) throws GuacamoleException {
+ validateUserAccess();
Collection objects = userGroupService.retrieveObjects(getCurrentUser(), identifiers);
return Collections.unmodifiableCollection(objects);
}
@@ -57,18 +59,21 @@ public class UserGroupDirectory extends RestrictedObject
@Override
@Transactional
public Set getIdentifiers() throws GuacamoleException {
+ validateUserAccess();
return userGroupService.getIdentifiers(getCurrentUser());
}
@Override
@Transactional
public void add(UserGroup object) throws GuacamoleException {
+ validateUserAccess();
userGroupService.createObject(getCurrentUser(), object);
}
@Override
@Transactional
public void update(UserGroup object) throws GuacamoleException {
+ validateUserAccess();
ModeledUserGroup group = (ModeledUserGroup) object;
userGroupService.updateObject(getCurrentUser(), group);
}
@@ -76,6 +81,7 @@ public class UserGroupDirectory extends RestrictedObject
@Override
@Transactional
public void remove(String identifier) throws GuacamoleException {
+ validateUserAccess();
userGroupService.deleteObject(getCurrentUser(), identifier);
}
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLEnvironment.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLEnvironment.java
index d8344ec81..9ac722624 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLEnvironment.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLEnvironment.java
@@ -412,4 +412,13 @@ public class MySQLEnvironment extends JDBCEnvironment {
true);
}
+ @Override
+ public boolean enforceAccessWindowsForActiveSessions() throws GuacamoleException {
+
+ // Enforce access window restrictions for active sessions unless explicitly disabled
+ return getProperty(
+ MySQLGuacamoleProperties.MYSQL_ENFORCE_ACCESS_WINDOWS_FOR_ACTIVE_SESSIONS,
+ true);
+ }
+
}
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLGuacamoleProperties.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLGuacamoleProperties.java
index 6a5944fd3..c676feaad 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLGuacamoleProperties.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLGuacamoleProperties.java
@@ -278,4 +278,17 @@ public class MySQLGuacamoleProperties {
};
+ /**
+ * Whether or not user-specific access time windows should be enforced for active sessions,
+ * i.e. whether users with active sessions should be logged out immediately when an access
+ * window closes or the user is disabled.
+ */
+ public static final BooleanGuacamoleProperty MYSQL_ENFORCE_ACCESS_WINDOWS_FOR_ACTIVE_SESSIONS =
+ new BooleanGuacamoleProperty() {
+
+ @Override
+ public String getName() { return "mysql-enforce-access-windows-for-active-sessions"; }
+
+ };
+
}
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLEnvironment.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLEnvironment.java
index ac08e0ae0..5e0a5a1fe 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLEnvironment.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLEnvironment.java
@@ -371,4 +371,13 @@ public class PostgreSQLEnvironment extends JDBCEnvironment {
true);
}
+ @Override
+ public boolean enforceAccessWindowsForActiveSessions() throws GuacamoleException {
+
+ // Enforce access window restrictions for active sessions unless explicitly disabled
+ return getProperty(
+ PostgreSQLGuacamoleProperties.POSTGRESQL_ENFORCE_ACCESS_WINDOWS_FOR_ACTIVE_SESSIONS,
+ true);
+ }
+
}
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLGuacamoleProperties.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLGuacamoleProperties.java
index dfa00b68c..636c0a1c7 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLGuacamoleProperties.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLGuacamoleProperties.java
@@ -290,4 +290,17 @@ public class PostgreSQLGuacamoleProperties {
};
+ /**
+ * Whether or not user-specific access time windows should be enforced for active sessions,
+ * i.e. whether users with active sessions should be logged out immediately when an access
+ * window closes or the user is disabled.
+ */
+ public static final BooleanGuacamoleProperty POSTGRESQL_ENFORCE_ACCESS_WINDOWS_FOR_ACTIVE_SESSIONS =
+ new BooleanGuacamoleProperty() {
+
+ @Override
+ public String getName() { return "postgresql-enforce-access-windows-for-active-sessions"; }
+
+ };
+
}
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/conf/SQLServerEnvironment.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/conf/SQLServerEnvironment.java
index 0b6983691..7d88d7399 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/conf/SQLServerEnvironment.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/conf/SQLServerEnvironment.java
@@ -268,4 +268,13 @@ public class SQLServerEnvironment extends JDBCEnvironment {
true);
}
+ @Override
+ public boolean enforceAccessWindowsForActiveSessions() throws GuacamoleException {
+
+ // Enforce access window restrictions for active sessions unless explicitly disabled
+ return getProperty(
+ SQLServerGuacamoleProperties.SQLSERVER_ENFORCE_ACCESS_WINDOWS_FOR_ACTIVE_SESSIONS,
+ true);
+ }
+
}
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/conf/SQLServerGuacamoleProperties.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/conf/SQLServerGuacamoleProperties.java
index 432454ed8..e7b1c6982 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/conf/SQLServerGuacamoleProperties.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/conf/SQLServerGuacamoleProperties.java
@@ -220,4 +220,17 @@ public class SQLServerGuacamoleProperties {
};
+ /**
+ * Whether or not user-specific access time windows should be enforced for active sessions,
+ * i.e. whether users with active sessions should be logged out immediately when an access
+ * window closes or the user is disabled.
+ */
+ public static final BooleanGuacamoleProperty SQLSERVER_ENFORCE_ACCESS_WINDOWS_FOR_ACTIVE_SESSIONS =
+ new BooleanGuacamoleProperty() {
+
+ @Override
+ public String getName() { return "sqlserver-enforce-access-windows-for-active-sessions"; }
+
+ };
+
}