GUACAMOLE-641: Obtain connection hostname and/or username for vault tokens via privileged access, if possible.

2025-09-06 13:17:41 +00:00 · 2022-01-21 15:23:41 -08:00
parent 5aba0cd09d
commit 4d3b2a9435
1 changed files with 38 additions and 4 deletions
--- a/extensions/guacamole-vault/modules/guacamole-vault-base/src/main/java/org/apache/guacamole/vault/user/VaultUserContext.java
+++ b/extensions/guacamole-vault/modules/guacamole-vault-base/src/main/java/org/apache/guacamole/vault/user/VaultUserContext.java
@@ -32,7 +32,6 @@ import org.apache.guacamole.net.auth.Connection;
 import org.apache.guacamole.net.auth.ConnectionGroup;
 import org.apache.guacamole.net.auth.TokenInjectingUserContext;
 import org.apache.guacamole.net.auth.UserContext;
-import org.apache.guacamole.protocol.GuacamoleConfiguration;
 import org.apache.guacamole.token.GuacamoleTokenUndefinedException;
 import org.apache.guacamole.token.TokenFilter;
 import org.apache.guacamole.vault.conf.VaultConfigurationService;
@@ -286,6 +285,41 @@ public class VaultUserContext extends TokenInjectingUserContext {

    }

+    /**
+     * Retrieves the connection parameters associated with the
+     * GuacamoleConfiguration of the given Connection. If possible, privileged
+     * access to those parameters is obtained first. Note that the underlying
+     * extension is not required to allow privileged access, nor is it
+     * required to expose the underlying connection parameters at all.
+     *
+     * @param connection
+     *     The connection to retrieve parameters from.
+     *
+     * @return
+     *     A Map of all connection parameters exposed by the underlying
+     *     extension for the given connection, which may be empty.
+     *
+     * @throws GuacamoleException
+     *     If an error prevents privileged retrieval of parameters.
+     */
+    private Map<String, String> getConnectionParameters(Connection connection)
+            throws GuacamoleException {
+
+        String identifier = connection.getIdentifier();
+
+        // Obtain privileged access to parameters if possible (note that the
+        // UserContext returned by getPrivileged() is not guaranteed to
+        // actually be privileged)
+        Connection privilegedConnection = getPrivileged().getConnectionDirectory().get(identifier);
+        if (privilegedConnection != null)
+            return privilegedConnection.getConfiguration().getParameters();
+
+        // Fall back to unprivileged access if not implemented/allowed by
+        // extension
+        return connection.getConfiguration().getParameters();
+
+    }
+
    @Override
    protected Map<String, String> getTokens(Connection connection)
            throws GuacamoleException {
@@ -303,9 +337,9 @@ public class VaultUserContext extends TokenInjectingUserContext {
        // Add hostname and username tokens if available (implementations are
        // not required to expose connection configuration details)

-        GuacamoleConfiguration config = connection.getConfiguration();
+        Map<String, String> parameters = getConnectionParameters(connection);

-        String hostname = config.getParameter("hostname");
+        String hostname = parameters.get("hostname");
        if (hostname != null)
            filter.setToken(CONNECTION_HOSTNAME_TOKEN, hostname);
        else
@@ -314,7 +348,7 @@ public class VaultUserContext extends TokenInjectingUserContext {
                    + "secret names.", identifier, name,
                    CONNECTION_HOSTNAME_TOKEN);

-        String username = config.getParameter("username");
+        String username = parameters.get("username");
        if (username != null)
            filter.setToken(CONNECTION_USERNAME_TOKEN, username);
        else