GUACAMOLE-1224: Log user password updates.

2025-09-06 13:17:41 +00:00 · 2022-10-05 09:41:54 -07:00
parent 606c7bd55c
commit 36b5842d42
3 changed files with 58 additions and 11 deletions
--- a/guacamole/src/main/java/org/apache/guacamole/event/AffectedObject.java
+++ b/guacamole/src/main/java/org/apache/guacamole/event/AffectedObject.java
@@ -94,6 +94,10 @@ public class AffectedObject implements LoggableDetail {

            // Users
            case USER:
+
+                if (identifier.equals(event.getAuthenticatedUser().getIdentifier()))
+                    return "their own user account";
+
                objectType = "user";
                break;

--- a/guacamole/src/main/java/org/apache/guacamole/event/EventLoggingListener.java
+++ b/guacamole/src/main/java/org/apache/guacamole/event/EventLoggingListener.java
@@ -24,6 +24,8 @@ import org.apache.guacamole.GuacamoleException;
 import org.apache.guacamole.GuacamoleResourceNotFoundException;
 import org.apache.guacamole.net.auth.AuthenticationProvider;
 import org.apache.guacamole.net.auth.Credentials;
+import org.apache.guacamole.net.auth.Identifiable;
+import org.apache.guacamole.net.auth.User;
 import org.apache.guacamole.net.auth.credentials.GuacamoleInsufficientCredentialsException;
 import org.apache.guacamole.net.event.ApplicationShutdownEvent;
 import org.apache.guacamole.net.event.ApplicationStartedEvent;
@@ -32,6 +34,7 @@ import org.apache.guacamole.net.event.AuthenticationSuccessEvent;
 import org.apache.guacamole.net.event.DirectoryEvent;
 import org.apache.guacamole.net.event.DirectoryFailureEvent;
 import org.apache.guacamole.net.event.DirectorySuccessEvent;
+import org.apache.guacamole.net.event.IdentifiableObjectEvent;
 import org.apache.guacamole.net.event.UserSessionInvalidatedEvent;
 import org.apache.guacamole.net.event.listener.Listener;
 import org.slf4j.Logger;
@@ -48,6 +51,26 @@ public class EventLoggingListener implements Listener {
     */
    private final Logger logger = LoggerFactory.getLogger(EventLoggingListener.class);

+    /**
+     * Returns whether the given event affects the password of a User object.
+     *
+     * @param event
+     *     The event to check.
+     *
+     * @return
+     *     true if a user's password is specifically set or modified by the
+     *     given event, false otherwise.
+     */
+    private boolean isPasswordAffected(IdentifiableObjectEvent<?> event) {
+
+        Identifiable object = event.getObject();
+        if (!(object instanceof User))
+            return false;
+
+        return ((User) object).getPassword() != null;
+        
+    }
+
    /**
     * Logs that an operation was performed on an object within a Directory
     * successfully.
@@ -65,10 +88,16 @@ public class EventLoggingListener implements Listener {
                break;

            case ADD:
+                if (isPasswordAffected(event))
+                    logger.info("{} successfully created {}, setting their password", new RequestingUser(event), new AffectedObject(event));
+                else
                    logger.info("{} successfully created {}", new RequestingUser(event), new AffectedObject(event));
                break;

            case UPDATE:
+                if (isPasswordAffected(event))
+                    logger.info("{} successfully updated {}, changing their password", new RequestingUser(event), new AffectedObject(event));
+                else
                    logger.info("{} successfully updated {}", new RequestingUser(event), new AffectedObject(event));
                break;

--- a/guacamole/src/main/java/org/apache/guacamole/rest/user/UserResource.java
+++ b/guacamole/src/main/java/org/apache/guacamole/rest/user/UserResource.java
@@ -41,6 +41,7 @@ import org.apache.guacamole.net.auth.Directory;
 import org.apache.guacamole.net.auth.UserContext;
 import org.apache.guacamole.net.auth.credentials.GuacamoleCredentialsException;
 import org.apache.guacamole.net.auth.simple.SimpleActivityRecordSet;
+import org.apache.guacamole.net.event.DirectoryEvent;
 import org.apache.guacamole.rest.directory.DirectoryObjectResource;
 import org.apache.guacamole.rest.directory.DirectoryObjectTranslator;
 import org.apache.guacamole.rest.history.UserHistoryResource;
@@ -134,6 +135,7 @@ public class UserResource
    public void updateObject(APIUser modifiedObject) throws GuacamoleException {

        // A user may not use this endpoint to update their password
+        try {
            User currentUser = getUserContext().self();
            if (
                    currentUser.getIdentifier().equals(modifiedObject.getUsername())
@@ -142,6 +144,11 @@ public class UserResource
                        "Permission denied. The password update endpoint must"
                        + " be used to change the current user's password.");
            }
+        }
+        catch (GuacamoleException | RuntimeException | Error e) {
+            fireDirectoryFailureEvent(DirectoryEvent.Operation.UPDATE, e);
+            throw e;
+        }

        super.updateObject(modifiedObject);

@@ -184,8 +191,15 @@ public class UserResource
        }

        // Set password to the newly provided one
+        try {
            user.setPassword(userPasswordUpdate.getNewPassword());
            getDirectory().update(user);
+            fireDirectorySuccessEvent(DirectoryEvent.Operation.UPDATE);
+        }
+        catch (GuacamoleException | RuntimeException | Error e) {
+            fireDirectoryFailureEvent(DirectoryEvent.Operation.UPDATE, e);
+            throw e;
+        }

    }