From 420ffa175d5f3b35c86e9931bc29fe23fc59ce48 Mon Sep 17 00:00:00 2001 From: Edgardo Rodriguez Date: Sun, 26 Jul 2020 11:56:35 -0300 Subject: [PATCH] GUACAMOLE-1130: Only retrieve LDAP attributes that are strictly necessary --- .../auth/ldap/ObjectQueryService.java | 18 +++++++++++++----- .../ldap/connection/ConnectionService.java | 2 +- .../auth/ldap/group/UserGroupService.java | 14 +++++++++++--- 3 files changed, 25 insertions(+), 9 deletions(-) diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ObjectQueryService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ObjectQueryService.java index 229eb1ba5..7507948fa 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ObjectQueryService.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ObjectQueryService.java @@ -197,6 +197,10 @@ public class ObjectQueryService { * @param searchHop * The current level of referral depth for this search, used for * limiting the maximum depth to which referrals can go. + * + * @param relevantAttributes + * The attribute(s) relevant to return for this search, + * if all available should be returned pass null as value. * * @return * A list of all results accessible to the user currently bound under @@ -208,7 +212,8 @@ public class ObjectQueryService { * guacamole.properties. */ public List search(LdapNetworkConnection ldapConnection, - Dn baseDN, ExprNode query, int searchHop) throws GuacamoleException { + Dn baseDN, ExprNode query, int searchHop, + Collection relevantAttributes) throws GuacamoleException { // Refuse to follow referrals if limit has been reached int maxHops = confService.getMaxReferralHops(); @@ -225,12 +230,15 @@ public class ObjectQueryService { // Search within subtree of given base DN SearchRequest request = ldapService.getSearchRequest(baseDN, query); - + if (relevantAttributes != null) { + request.addAttributes(relevantAttributes.toArray(new String[0])); + } + // Produce list of all entries in the search result, automatically // following referrals if configured to do so List entries = new ArrayList<>(); - try (SearchCursor results = ldapConnection.search(request)) { + while (results.next()) { // Add entry directly if no referral is involved @@ -251,7 +259,7 @@ public class ObjectQueryService { try (LdapNetworkConnection referralConnection = ldapService.bindAs(url, ldapConnection)) { if (referralConnection != null) { logger.debug("Following referral to \"{}\"...", url); - entries.addAll(search(referralConnection, baseDN, query, searchHop + 1)); + entries.addAll(search(referralConnection, baseDN, query, searchHop + 1, relevantAttributes)); } else logger.debug("Could not bind with LDAP " @@ -329,7 +337,7 @@ public class ObjectQueryService { ExprNode filter, Collection attributes, String attributeValue) throws GuacamoleException { ExprNode query = generateQuery(filter, attributes, attributeValue); - return search(ldapConnection, baseDN, query, 0); + return search(ldapConnection, baseDN, query, 0, attributes); } /** diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/connection/ConnectionService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/connection/ConnectionService.java index 6b2d840a1..cb6f037c2 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/connection/ConnectionService.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/connection/ConnectionService.java @@ -126,7 +126,7 @@ public class ConnectionService { // and possibly any groups the user is a member of that are // referred to in the seeAlso attribute of the guacConfigGroup. List results = queryService.search(ldapConnection, - configurationBaseDN, connectionSearchFilter, 0); + configurationBaseDN, connectionSearchFilter, 0, null); // Return a map of all readable connections return queryService.asMap(results, (entry) -> { diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/group/UserGroupService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/group/UserGroupService.java index 6d97a930a..af1281a4e 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/group/UserGroupService.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/group/UserGroupService.java @@ -18,8 +18,8 @@ */ package org.apache.guacamole.auth.ldap.group; - import com.google.inject.Inject; +import java.util.ArrayList; import java.util.Collection; import java.util.Collections; import java.util.HashSet; @@ -192,7 +192,7 @@ public class UserGroupService { ldapConnection, userDN, confService.getUserSearchFilter(), - 0); + 0, null); // ... there can surely only be one if (userEntries.size() != 1) logger.warn("user DN \"{}\" does not return unique value " @@ -214,13 +214,21 @@ public class UserGroupService { } } + // Gather all attributes relevant for a group + ArrayList groupAttributes = new ArrayList(); + groupAttributes.add(confService.getMemberAttribute()); + confService.getGroupNameAttributes().forEach( + attribute -> groupAttributes.add(attribute) + ); + // Get all groups the user is a member of starting at the groupBaseDN, // excluding guacConfigGroups + return queryService.search( ldapConnection, groupBaseDN, getGroupSearchFilter(), - Collections.singleton(confService.getMemberAttribute()), + groupAttributes, userIDorDN );