From a486408ec15ef7be574188927b4640c2c395f559 Mon Sep 17 00:00:00 2001 From: Bojan Zelic Date: Fri, 18 Dec 2020 09:01:15 -0700 Subject: [PATCH 1/2] GUACAMOLE-1218: Use TokenFilter to inject tokens from configuration attributes --- .../auth/json/connection/ConnectionService.java | 16 ++++++++++------ .../auth/json/user/UserDataConnection.java | 2 +- 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/extensions/guacamole-auth-json/src/main/java/org/apache/guacamole/auth/json/connection/ConnectionService.java b/extensions/guacamole-auth-json/src/main/java/org/apache/guacamole/auth/json/connection/ConnectionService.java index 128aac5b1..0cf4e25db 100644 --- a/extensions/guacamole-auth-json/src/main/java/org/apache/guacamole/auth/json/connection/ConnectionService.java +++ b/extensions/guacamole-auth-json/src/main/java/org/apache/guacamole/auth/json/connection/ConnectionService.java @@ -43,6 +43,7 @@ import org.apache.guacamole.net.auth.GuacamoleProxyConfiguration; import org.apache.guacamole.protocol.ConfiguredGuacamoleSocket; import org.apache.guacamole.protocol.GuacamoleClientInformation; import org.apache.guacamole.protocol.GuacamoleConfiguration; +import org.apache.guacamole.token.TokenFilter; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -166,7 +167,7 @@ public class ConnectionService { * connect is denied. */ public GuacamoleTunnel connect(UserData.Connection connection, - GuacamoleClientInformation info) throws GuacamoleException { + GuacamoleClientInformation info, Map tokens) throws GuacamoleException { // Retrieve proxy configuration from environment GuacamoleProxyConfiguration proxyConfig = environment.getDefaultGuacamoleProxyConfiguration(); @@ -176,14 +177,17 @@ public class ConnectionService { int port = proxyConfig.getPort(); // Generate and verify connection configuration - GuacamoleConfiguration config = getConfiguration(connection); - if (config == null) { + GuacamoleConfiguration filteredConfig = getConfiguration(connection); + if (filteredConfig == null) { logger.debug("Configuration for connection could not be " + "generated. Perhaps the connection being joined is not " + "active?"); throw new GuacamoleResourceNotFoundException("No such connection"); } + // Apply tokens to config parameters + new TokenFilter(tokens).filterValues(filteredConfig.getParameters()); + // Determine socket type based on required encryption method final ConfiguredGuacamoleSocket socket; switch (proxyConfig.getEncryptionMethod()) { @@ -192,7 +196,7 @@ public class ConnectionService { case SSL: socket = new ConfiguredGuacamoleSocket( new SSLGuacamoleSocket(hostname, port), - config, info + filteredConfig, info ); break; @@ -200,7 +204,7 @@ public class ConnectionService { case NONE: socket = new ConfiguredGuacamoleSocket( new InetGuacamoleSocket(hostname, port), - config, info + filteredConfig, info ); break; @@ -277,7 +281,7 @@ public class ConnectionService { // Track tunnels which join connections, such that they can be // automatically closed when the joined connection closes - String joinedConnection = config.getConnectionID(); + String joinedConnection = filteredConfig.getConnectionID(); if (joinedConnection != null) { // Track shadower of joined connection if possible diff --git a/extensions/guacamole-auth-json/src/main/java/org/apache/guacamole/auth/json/user/UserDataConnection.java b/extensions/guacamole-auth-json/src/main/java/org/apache/guacamole/auth/json/user/UserDataConnection.java index fd24f91f2..48a9de18d 100644 --- a/extensions/guacamole-auth-json/src/main/java/org/apache/guacamole/auth/json/user/UserDataConnection.java +++ b/extensions/guacamole-auth-json/src/main/java/org/apache/guacamole/auth/json/user/UserDataConnection.java @@ -180,7 +180,7 @@ public class UserDataConnection implements Connection { } // Perform connection operation - return connectionService.connect(connection, info); + return connectionService.connect(connection, info, tokens); } From 0fb4877d84948c5a5d6b087c868d1e2984a591e6 Mon Sep 17 00:00:00 2001 From: Bojan Zelic Date: Fri, 18 Dec 2020 09:02:47 -0700 Subject: [PATCH 2/2] GUACAMOLE-1218: Update documentation to show tokens being used as part of the encrypted json --- extensions/guacamole-auth-json/README.md | 37 +++++++++++++++--------- 1 file changed, 24 insertions(+), 13 deletions(-) diff --git a/extensions/guacamole-auth-json/README.md b/extensions/guacamole-auth-json/README.md index 2b6db308d..024d08183 100644 --- a/extensions/guacamole-auth-json/README.md +++ b/extensions/guacamole-auth-json/README.md @@ -151,14 +151,20 @@ For example, if you have a file called `auth.json` containing the following: "protocol" : "rdp", "parameters" : { "hostname" : "10.10.209.63", - "port" : "3389" + "port" : "3389", + "ignore-cert": "true", + "recording-path": "/recordings", + "recording-name": "My-Connection-${GUAC_USERNAME}-${GUAC_DATE}-${GUAC_TIME}" } }, "My OTHER Connection" : { "protocol" : "rdp", "parameters" : { "hostname" : "10.10.209.64", - "port" : "3389" + "port" : "3389", + "ignore-cert": "true", + "recording-path": "/recordings", + "recording-name": "My-OTHER-Connection-${GUAC_USERNAME}-${GUAC_DATE}-${GUAC_TIME}" } } } @@ -170,17 +176,22 @@ and you run: You will receive the following output: - le2Ug6YIo4perD2GV17QtWvOdfSemVDDtCOdRYJlbdUf3fhN+63LpQa1RDkzU7Zc - DW3+OtyTCBGQ7OLO+HpG6pHNom76BXpmnHSRx1UdQ3WVZelPUXEDzxe74aN6DUP9 - G9isXhBMdLUhZwEJf4k4Gpzt9MHAH5PufSKq3DO1UHnrRjdGbKKddug2BcuDrwJM - UJf1tRX9CAEC11/gWEwrHDOhH/abeyeDyElbaEG/oOY8EdoFNYgUsjI2x31OpCuB - sEv7FOFafL05wEoIFv0/pPft0DHk7GuvHBBCqXuK98yMEo3d0zD5D+IsOY8Rmm1+ - 0CoWkX22mqyRQMFS2fTp/fClCN4QLb0aNn+unweTimd2SXN9cjREmZknXf7Tj8oU - /FNXc37i0HEfG5aVgp5znMCwwRAOFnFhLqG3K2yaTRE+hLNBxltIjLfFmNG5TZZA - gUdKyuegsOd0KS5iHdW6tPI01AwfRO9y2z20t3flsgDp50EGWjT2/TTA5Nkjnnjk - JXNzCOfM7DCI/ioEz6Ga140qXfOX/g8SGiukpwt+j0ANI573TdVt7nsp7MZX2qKg - 2GcoNqjBqQxqpqI5ZYz4KVfD4cYu8KDZ9MiFMzbUwwKNSzYxiep1KJwiG0HQThHg - oX2FJYOFCFcinQgGkUOaBJK1K0bo1ouaBSe4iGPjd54= + A2Pf5Kpmm97I2DT1PifIrfU6q3yzoGcIbNXEd60WNangT8DAVjAl6luaqwhBJnCK + uqcf9ZZlRo3uDxTHvUM3eq1YvdghL0GbosOn8Mn38j2ydOMk+Cd15a8ggb4/ddt/ + yIBK4DxrN7MNbouZ091KYtXC6m20E6sGzLy676BlMSg1cmsENRIihOynsSLSCvo0 + diif6H7T+ZuIqF7B5SW+adGfMaHlfknlIvSpLGHhrIP4aMYE/ZU2vYNg8ez27sCS + wDBWu5lERtfCYFyU4ysjRU5Hyov+yKa+O7jcRYpw3N+fHbCg7/dxVNW07qNOKssv + pzUciGvDPUCPpa02WmPJNEBowwQireO1952/MNAI77cW2UepbljD/bwOiZl2THJz + LrENo7K5acimBa+EjWEesgn7lx/WTCF3zxR6TH1CWrQM8Et1aUK1Nf8K11xEQbTy + klyaNtCmTfyahRZ/fUPxDNrdJVpPOSELkf7RJO5tOdK/FFIFIbze3ZUyXgRq+pHY + owpgOmudDBTBlxhXiONdutRI/RZbFM/7GBMdmI8AR/401OCV3nsI4jLhukjMXH3V + f3pQg+xKMhi/QExHhDk8VTNYk7GurK4vgehn7HQ0oSGh8pGcmxB6W43cz+hyn6VQ + On6i90cSnIhRO8SysZt332LwJCDm7I+lBLaI8NVHU6bnAY1Axx5oH3YTKc4qzHls + HEAFYLkD6aHMvHkF3b798CMravjxiJV3m7hsXDbaFN6AFhn8GIkMRRrjuevfZ+q9 + enWN14s24vt5OVg69DljzALobUNKUXFx69SR8EpSBvUcKq8s/OgbDpFvKbwsDY57 + HGT4T0CuRIA0TGUI075uerKBNApVhuBA1BmWJIrI4JXw5MuX6pdBe+MYccO3vfo+ + /frazj8rHdkDa/IbueMbvq+1ozV2+UuxrbaTrV2i4jSRgd74U0QzOh9e8Q0i7vOi + l3hnIfOfg+v1oULmZmJSeiAYWxeGvPptp+n7rNFqHGM= The resulting base64 data above, if submitted using the `data` parameter to Guacamole, will authenticate a user and grant them access to the connections