GUACAMOLE-1239: Make identifier comparison case-insensitive.

2025-09-06 13:17:41 +00:00 · 2023-07-18 17:26:40 -04:00
parent 073d1d476e
commit 4d5101574a
43 changed files with 853 additions and 12 deletions
--- a/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-base/src/main/java/org/apache/guacamole/auth/sso/conf/SSOEnvironment.java
+++ b/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-base/src/main/java/org/apache/guacamole/auth/sso/conf/SSOEnvironment.java
@@ -0,0 +1,62 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.auth.sso.conf;
+
+import org.apache.guacamole.GuacamoleException;
+import org.apache.guacamole.environment.DelegatingEnvironment;
+import org.apache.guacamole.environment.LocalEnvironment;
+
+/**
+ * An SSO-specific environment that defines generic properties that can be used
+ * with any of the implemented SSO providers.
+ */
+public abstract class SSOEnvironment extends DelegatingEnvironment {
+    
+    /**
+     * Create a new instance of the SSOEnvironment using the underlying
+     * LocalEnvironment to read configured properties.
+     */
+    public SSOEnvironment() {
+        super(LocalEnvironment.getInstance());
+    }
+    
+    /**
+     * Returns true if the usernames provided to the SSO authentication
+     * module should be treated as case-sensitive, or false if usernames
+     * should be treated as case-insensitive. The default is true, usernames
+     * will be case-sensitive in keeping with the past behavior of Guacamole
+     * prior to the addition of this option.
+     * 
+     * @return
+     *     true if usernames should be treated as case-sensitive, otherwise
+     *     false.
+     * 
+     * @throws GuacamoleException 
+     *     If guacamole.properties cannot be parsed.
+     */
+    public boolean getCaseSensitiveUsernames() throws GuacamoleException {
+        
+        // While most SSO systems do not use case to differentiate between
+        // usernames, this currently defaults to true to avoid suddenly
+        // breaking any extensions that rely on case-sensitivity.
+        return true;
+    }
+    
+}
--- a/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-base/src/main/java/org/apache/guacamole/auth/sso/user/SSOAuthenticatedUser.java
+++ b/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-base/src/main/java/org/apache/guacamole/auth/sso/user/SSOAuthenticatedUser.java
@@ -23,9 +23,13 @@ import com.google.inject.Inject;
 import java.util.Collections;
 import java.util.Map;
 import java.util.Set;
+import org.apache.guacamole.GuacamoleException;
+import org.apache.guacamole.environment.Environment;
 import org.apache.guacamole.net.auth.AbstractAuthenticatedUser;
 import org.apache.guacamole.net.auth.AuthenticationProvider;
 import org.apache.guacamole.net.auth.Credentials;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;

 /**
 * An AuthenticatedUser whose identity has been supplied by an arbitrary SSO
@@ -35,12 +39,23 @@ import org.apache.guacamole.net.auth.Credentials;
 */
 public class SSOAuthenticatedUser extends AbstractAuthenticatedUser {

+    /**
+     * Logger for this class.
+     */
+    private static final Logger LOGGER = LoggerFactory.getLogger(SSOAuthenticatedUser.class);
+    
    /**
     * Reference to the authentication provider associated with this
     * authenticated user.
     */
    @Inject
    private AuthenticationProvider authProvider;
+    
+    /**
+     * The environment in which this instance of Guacamole is running.
+     */
+    @Inject
+    private Environment environment;

    /**
     * The credentials provided when this user was authenticated.
@@ -112,5 +127,22 @@ public class SSOAuthenticatedUser extends AbstractAuthenticatedUser {
    public Set<String> getEffectiveUserGroups() {
        return effectiveGroups;
    }
+    
+    @Override
+    public boolean isCaseSensitive() {
+        try {
+            return environment.getCaseSensitiveUsernames();
+        }
+        catch (GuacamoleException e) {
+            // Most SSO systems do not consider usernames to be case-sensitive;
+            // however, in order to avoid any surprises created by the introduction
+            // of case-sensitivity, we've opted to continue to evaluate these
+            // usernames in a case-sensitive manner by default.
+            LOGGER.error("Error occurred when trying to retrieve case-sensitivity configuration: {}. "
+                    + "Usernames comparisons will be done in a case-sensitive manner.", e.getMessage());
+            LOGGER.debug("Exception caught when trying to access the case-sensitivity property.", e);
+            return true;
+        }
+    }

 }