From 4d3b2a943550d6882a23c461ad2f6fb2e0a446f2 Mon Sep 17 00:00:00 2001 From: Michael Jumper Date: Fri, 21 Jan 2022 15:23:41 -0800 Subject: [PATCH] GUACAMOLE-641: Obtain connection hostname and/or username for vault tokens via privileged access, if possible. --- .../vault/user/VaultUserContext.java | 42 +++++++++++++++++-- 1 file changed, 38 insertions(+), 4 deletions(-) diff --git a/extensions/guacamole-vault/modules/guacamole-vault-base/src/main/java/org/apache/guacamole/vault/user/VaultUserContext.java b/extensions/guacamole-vault/modules/guacamole-vault-base/src/main/java/org/apache/guacamole/vault/user/VaultUserContext.java index 9772815cb..cf3d99107 100644 --- a/extensions/guacamole-vault/modules/guacamole-vault-base/src/main/java/org/apache/guacamole/vault/user/VaultUserContext.java +++ b/extensions/guacamole-vault/modules/guacamole-vault-base/src/main/java/org/apache/guacamole/vault/user/VaultUserContext.java @@ -32,7 +32,6 @@ import org.apache.guacamole.net.auth.Connection; import org.apache.guacamole.net.auth.ConnectionGroup; import org.apache.guacamole.net.auth.TokenInjectingUserContext; import org.apache.guacamole.net.auth.UserContext; -import org.apache.guacamole.protocol.GuacamoleConfiguration; import org.apache.guacamole.token.GuacamoleTokenUndefinedException; import org.apache.guacamole.token.TokenFilter; import org.apache.guacamole.vault.conf.VaultConfigurationService; @@ -286,6 +285,41 @@ public class VaultUserContext extends TokenInjectingUserContext { } + /** + * Retrieves the connection parameters associated with the + * GuacamoleConfiguration of the given Connection. If possible, privileged + * access to those parameters is obtained first. Note that the underlying + * extension is not required to allow privileged access, nor is it + * required to expose the underlying connection parameters at all. + * + * @param connection + * The connection to retrieve parameters from. + * + * @return + * A Map of all connection parameters exposed by the underlying + * extension for the given connection, which may be empty. + * + * @throws GuacamoleException + * If an error prevents privileged retrieval of parameters. + */ + private Map getConnectionParameters(Connection connection) + throws GuacamoleException { + + String identifier = connection.getIdentifier(); + + // Obtain privileged access to parameters if possible (note that the + // UserContext returned by getPrivileged() is not guaranteed to + // actually be privileged) + Connection privilegedConnection = getPrivileged().getConnectionDirectory().get(identifier); + if (privilegedConnection != null) + return privilegedConnection.getConfiguration().getParameters(); + + // Fall back to unprivileged access if not implemented/allowed by + // extension + return connection.getConfiguration().getParameters(); + + } + @Override protected Map getTokens(Connection connection) throws GuacamoleException { @@ -303,9 +337,9 @@ public class VaultUserContext extends TokenInjectingUserContext { // Add hostname and username tokens if available (implementations are // not required to expose connection configuration details) - GuacamoleConfiguration config = connection.getConfiguration(); + Map parameters = getConnectionParameters(connection); - String hostname = config.getParameter("hostname"); + String hostname = parameters.get("hostname"); if (hostname != null) filter.setToken(CONNECTION_HOSTNAME_TOKEN, hostname); else @@ -314,7 +348,7 @@ public class VaultUserContext extends TokenInjectingUserContext { + "secret names.", identifier, name, CONNECTION_HOSTNAME_TOKEN); - String username = config.getParameter("username"); + String username = parameters.get("username"); if (username != null) filter.setToken(CONNECTION_USERNAME_TOKEN, username); else