GUAC-1342: Perform token substitution on connections retrieved from LDAP.

2025-09-06 13:17:41 +00:00 · 2015-11-02 17:37:13 -08:00
parent dc41f58639
commit 600fc081f6
2 changed files with 17 additions and 3 deletions
--- a/extensions/guacamole-auth-ldap/src/main/java/org/glyptodon/guacamole/auth/ldap/connection/ConnectionService.java
+++ b/extensions/guacamole-auth-ldap/src/main/java/org/glyptodon/guacamole/auth/ldap/connection/ConnectionService.java
@@ -37,9 +37,12 @@ import org.glyptodon.guacamole.auth.ldap.ConfigurationService;
 import org.glyptodon.guacamole.auth.ldap.EscapingService;
 import org.glyptodon.guacamole.GuacamoleException;
 import org.glyptodon.guacamole.GuacamoleServerException;
+import org.glyptodon.guacamole.net.auth.AuthenticatedUser;
 import org.glyptodon.guacamole.net.auth.Connection;
 import org.glyptodon.guacamole.net.auth.simple.SimpleConnection;
 import org.glyptodon.guacamole.protocol.GuacamoleConfiguration;
+import org.glyptodon.guacamole.token.StandardTokens;
+import org.glyptodon.guacamole.token.TokenFilter;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

@@ -72,6 +75,10 @@ public class ConnectionService {
     * Returns all Guacamole connections accessible to the user currently bound
     * under the given LDAP connection.
     *
+     * @param user
+     *     The AuthenticatedUser object associated with the user who is
+     *     currently authenticated with Guacamole.
+     *
     * @param ldapConnection
     *     The current connection to the LDAP server, associated with the
     *     current user.
@@ -84,8 +91,8 @@ public class ConnectionService {
     * @throws GuacamoleException
     *     If an error occurs preventing retrieval of connections.
     */
-    public Map<String, Connection> getConnections(LDAPConnection ldapConnection)
-            throws GuacamoleException {
+    public Map<String, Connection> getConnections(AuthenticatedUser user,
+            LDAPConnection ldapConnection) throws GuacamoleException {

        // Do not return any connections if base DN is not specified
        String configurationBaseDN = confService.getConfigurationBaseDN();
@@ -111,6 +118,10 @@ public class ConnectionService {
                false
            );

+            // Build token filter containing credential tokens
+            TokenFilter tokenFilter = new TokenFilter();
+            StandardTokens.addStandardTokens(tokenFilter, user.getCredentials());
+
            // Produce connections for each readable configuration
            Map<String, Connection> connections = new HashMap<String, Connection>();
            while (results.hasMore()) {
@@ -163,6 +174,9 @@ public class ConnectionService {

                }

+                // Filter the configuration, substituting all defined tokens
+                tokenFilter.filterValues(config.getParameters());
+
                // Store connection using cn for both identifier and name
                String name = cn.getStringValue();
                Connection connection = new SimpleConnection(name, name, config);
--- a/extensions/guacamole-auth-ldap/src/main/java/org/glyptodon/guacamole/auth/ldap/user/UserContext.java
+++ b/extensions/guacamole-auth-ldap/src/main/java/org/glyptodon/guacamole/auth/ldap/user/UserContext.java
@@ -134,7 +134,7 @@ public class UserContext implements org.glyptodon.guacamole.net.auth.UserContext

        // Query all accessible connections
        connectionDirectory = new SimpleDirectory<Connection>(
-            connectionService.getConnections(ldapConnection)
+            connectionService.getConnections(user, ldapConnection)
        );

        // Root group contains only connections