safebox/guacamole-client
4
0
Fork 0
mirror of https://github.com/gyurix1968/guacamole-client.git synced 2025-09-07 13:41:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

GUACAMOLE-1623: Extract domain field directly from the vault, or split out of username.

Browse Source
This commit is contained in:
James Muehlner
2022-06-15 22:44:32 +00:00
parent 8822db781e
commit 647cfa6a0c
8 changed files with 381 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
extensions/guacamole-vault/modules/guacamole-vault-ksm/src/main/java/org/apache/guacamole/vault/ksm/conf/KsmConfigurationService.java
View File

@@ -76,6 +76,18 @@ public class KsmConfigurationService extends VaultConfigurationService {
}
};
/**
* Whether windows domains should be stripped off from usernames that are
* read from the KSM vault.
*/
private static final BooleanGuacamoleProperty STRIP_WINDOWS_DOMAINS = new BooleanGuacamoleProperty() {
@Override
public String getName() {
return "ksm-strip-windows-domains";
}
};
/**
* Creates a new KsmConfigurationService which reads the configuration
* from "ksm-token-mapping.yml" and properties from
@@ -105,6 +117,11 @@ public class KsmConfigurationService extends VaultConfigurationService {
return environment.getProperty(ALLOW_UNVERIFIED_CERT, false);
}
@Override
public boolean getSplitWindowsUsernames() throws GuacamoleException {
return environment.getProperty(STRIP_WINDOWS_DOMAINS, false);
}
/**
* Returns the options required to authenticate with Keeper Secrets Manager
* when retrieving secrets. These options are read from the contents of

7
extensions/guacamole-vault/modules/guacamole-vault-ksm/src/main/java/org/apache/guacamole/vault/ksm/secret/KsmClient.java
View File

@@ -22,7 +22,6 @@ package org.apache.guacamole.vault.ksm.secret;
import com.google.inject.Inject;
import com.google.inject.Singleton;
import com.keepersecurity.secretsManager.core.Hosts;
import com.keepersecurity.secretsManager.core.KeeperFile;
import com.keepersecurity.secretsManager.core.KeeperRecord;
import com.keepersecurity.secretsManager.core.KeeperSecrets;
import com.keepersecurity.secretsManager.core.Login;
@@ -119,7 +118,7 @@ public class KsmClient {
* {@link #cacheLock} acquired appropriately.
*/
private KeeperSecrets cachedSecrets = null;
/**
* All records retrieved from Keeper Secrets Manager, where each key is the
* UID of the corresponding record. The contents of this Map are
@@ -216,7 +215,7 @@ public class KsmClient {
// Store all secrets within cache
cachedSecrets = secrets;
// Clear unambiguous cache of all records by UID
cachedRecordsByUid.clear();
@@ -398,7 +397,7 @@ public class KsmClient {
* The record associated with the given username, or null if there is
* no such record or multiple such records.
*
* @throws GuacamoleException
* @throws GuacamoleException
* If an error occurs that prevents the record from being retrieved.
*/
public KeeperRecord getRecordByLogin(String username) throws GuacamoleException {

58
extensions/guacamole-vault/modules/guacamole-vault-ksm/src/main/java/org/apache/guacamole/vault/ksm/secret/KsmRecordService.java
View File

@@ -41,12 +41,20 @@ import java.util.function.Function;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
/**
* Service for automatically parsing out secrets and data from Keeper records.
*/
@Singleton
public class KsmRecordService {
/**
* Regular expression which matches the labels of custom fields containing
* domains.
*/
private static final Pattern DOMAIN_LABEL_PATTERN =
Pattern.compile("domain", Pattern.CASE_INSENSITIVE);
/**
* Regular expression which matches the labels of custom fields containing
* hostnames/addresses.
@@ -143,13 +151,13 @@ public class KsmRecordService {
* empty or contains multiple values, null is returned. Note that null will
* also be returned if the mapping transformation returns null for the
* single value stored in the list.
*
*
* @param <T>
* The type of object stored in the list.
*
*
* @param <R>
* The type of object to return.
*
*
* @param values
* The list to retrieve a single value from.
*
@@ -168,7 +176,7 @@ public class KsmRecordService {
return null;
return mapper.apply(value);
}
/**
@@ -271,7 +279,7 @@ public class KsmRecordService {
* multiple such fields, null is returned. Both standard and custom fields
* are searched. As standard fields do not have labels, any given label
* pattern is ignored for standard fields.
*
*
* @param <T>
* The type of field to return.
*
@@ -339,7 +347,7 @@ public class KsmRecordService {
return null;
foundFile = file;
}
return foundFile;
@@ -362,7 +370,7 @@ public class KsmRecordService {
if (file == null)
return CompletableFuture.completedFuture(null);
return CompletableFuture.supplyAsync(() -> {
return new String(SecretsManager.downloadFile(file), StandardCharsets.UTF_8);
});
@@ -445,6 +453,38 @@ public class KsmRecordService {
}
/**
* Returns the single domain associated with the given record. If the
* record has no associated domain, or multiple domains, null is
* returned. Domains are retrieved from "Text" and "Hidden" fields
* that have the label "domain" (case-insensitive).
*
* @param record
* The record to retrieve the domain from.
*
* @return
* The domain associated with the given record, or null if the record
* has no associated domain or multiple domains.
*/
public String getDomain(KeeperRecord record) {
KeeperRecordData data = record.getData();
List<KeeperRecordField> custom = data.getCustom();
// First check text "domain" custom field ...
Text textField = getField(custom, Text.class, DOMAIN_LABEL_PATTERN);
if (textField != null)
return getSingleStringValue(textField.getValue());
// ... or hidden "domain" custom field if that's not found
HiddenField hiddenField = getField(custom, HiddenField.class, DOMAIN_LABEL_PATTERN);
if (hiddenField != null)
return getSingleStringValue(hiddenField.getValue());
return null;
}
/**
* Returns the password associated with the given record. Both standard and
* custom fields are searched. Only "Password" and "Hidden" field types are
@@ -555,7 +595,7 @@ public class KsmRecordService {
// a pair of custom hidden fields for the private key and passphrase:
// the standard password field of the "Login" record refers to the
// user's own password, if any, not the passphrase of their key)
// Use password "private key" custom field as fallback ...
Password passwordField = getField(custom, Password.class, PASSPHRASE_LABEL_PATTERN);
if (passwordField != null)
@@ -567,7 +607,7 @@ public class KsmRecordService {
return getSingleStringValue(hiddenField.getValue());
return null;
}
}

49
extensions/guacamole-vault/modules/guacamole-vault-ksm/src/main/java/org/apache/guacamole/vault/ksm/secret/KsmSecretService.java
View File

@@ -32,7 +32,9 @@ import java.util.concurrent.Future;
import org.apache.guacamole.GuacamoleException;
import org.apache.guacamole.protocol.GuacamoleConfiguration;
import org.apache.guacamole.token.TokenFilter;
import org.apache.guacamole.vault.ksm.conf.KsmConfigurationService;
import org.apache.guacamole.vault.secret.VaultSecretService;
import org.apache.guacamole.vault.secret.WindowsUsername;
/**
* Service which retrieves secrets from Keeper Secrets Manager.
@@ -52,6 +54,12 @@ public class KsmSecretService implements VaultSecretService {
@Inject
private KsmRecordService recordService;
/**
* Service for retrieving configuration information.
*/
@Inject
private KsmConfigurationService confService;
@Override
public String canonicalize(String nameComponent) {
try {
@@ -86,17 +94,48 @@ public class KsmSecretService implements VaultSecretService {
* @param record
* The record to retrieve secrets from when generating tokens. This may
* be null.
*
* @throws GuacamoleException
* If configuration details in guacamole.properties cannot be parsed.
*/
private void addRecordTokens(Map<String, Future<String>> tokens, String prefix,
KeeperRecord record) {
KeeperRecord record) throws GuacamoleException {
if (record == null)
return;
// Domain of server-related record
String domain = recordService.getDomain(record);
if (domain != null)
tokens.put(prefix + "DOMAIN", CompletableFuture.completedFuture(domain));
// Username of server-related record
String username = recordService.getUsername(record);
if (username != null)
tokens.put(prefix + "USERNAME", CompletableFuture.completedFuture(username));
if (username != null) {
// If the record had no directly defined domain, but there is a
// username, and the configuration is enabled to split Windows
// domains out of usernames, attempt to split the domain out now
if (domain == null && confService.getSplitWindowsUsernames()) {
WindowsUsername usernameAndDomain =
WindowsUsername.splitWindowsUsernameFromDomain(username);
// Always store the username token
tokens.put(prefix + "USERNAME", CompletableFuture.completedFuture(
usernameAndDomain.getUsername()));
// Only store the domain if one is detected
if (usernameAndDomain.hasDomain())
tokens.put(prefix + "DOMAIN", CompletableFuture.completedFuture(
usernameAndDomain.getDomain()));
}
// If splitting is not enabled, store the whole value in the USERNAME token
else {
tokens.put(prefix + "USERNAME", CompletableFuture.completedFuture(username));
}
}
// Password of server-related record
String password = recordService.getPassword(record);
@@ -113,7 +152,7 @@ public class KsmSecretService implements VaultSecretService {
tokens.put(prefix + "KEY", privateKey);
}
@Override
public Map<String, Future<String>> getTokens(GuacamoleConfiguration config,
TokenFilter filter) throws GuacamoleException {
@@ -135,7 +174,7 @@ public class KsmSecretService implements VaultSecretService {
// Tokens specific to RDP
if ("rdp".equals(config.getProtocol())) {
// Retrieve and define gateway server-specific tokens, if any
String gatewayHostname = parameters.get("gateway-hostname");
if (gatewayHostname != null && !gatewayHostname.isEmpty())