safebox/guacamole-client
4
0
Fork 0
mirror of https://github.com/gyurix1968/guacamole-client.git synced 2025-09-06 21:27:40 +00:00
Code Issues Packages Projects Releases Wiki Activity

GUACAMOLE-1020: Make sure only admin users can modify restrictions.

Browse Source
This commit is contained in:
Virtually Nick
2024-09-28 19:39:59 -04:00
parent 1e04d6d366
commit 95cd386791
2 changed files with 38 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
extensions/guacamole-auth-restrict/src/main/java/org/apache/guacamole/auth/restrict/user/RestrictedUser.java
View File

@@ -43,6 +43,12 @@ public class RestrictedUser extends DelegatingUser implements Restrictable {
*/ */
private final String remoteAddress; private final String remoteAddress;
/**
* true if the user logged in to Guacamole has administrative privileges
* for this user object, otherwise false.
*/
private final boolean hasAdmin;
/** /**
* The name of the attribute that contains a list of weekdays and times (UTC) * The name of the attribute that contains a list of weekdays and times (UTC)
* that a user is allowed to log in. The presence of this attribute will * that a user is allowed to log in. The presence of this attribute will
@@ -116,9 +122,10 @@ public class RestrictedUser extends DelegatingUser implements Restrictable {
* The remote address of the client from which the current user is logged * The remote address of the client from which the current user is logged
* in. * in.
*/ */
public RestrictedUser(User user, String remoteAddress) { public RestrictedUser(User user, String remoteAddress, boolean hasAdmin) {
super(user); super(user);
this.remoteAddress = remoteAddress; this.remoteAddress = remoteAddress;
this.hasAdmin = hasAdmin;
} }
/** /**
@@ -133,7 +140,7 @@ public class RestrictedUser extends DelegatingUser implements Restrictable {
@Override @Override
public Map<String, String> getAttributes() { public Map<String, String> getAttributes() {
// Create independent, mutable copy of attributes // Create independent, mutable copy of attributes
Map<String, String> attributes = new HashMap<>(super.getAttributes()); Map<String, String> attributes = new HashMap<>(super.getAttributes());
@@ -154,10 +161,18 @@ public class RestrictedUser extends DelegatingUser implements Restrictable {
// Create independent, mutable copy of attributes // Create independent, mutable copy of attributes
attributes = new HashMap<>(attributes); attributes = new HashMap<>(attributes);
// Loop through extension-specific attributes, only sending ones // Loop through extension-specific attributes, only sending ones
// that are non-null and non-empty to the underlying storage mechanism. // that are non-null and non-empty to the underlying storage mechanism.
for (String attribute : RESTRICT_USER_ATTRIBUTES) { for (String attribute : RESTRICT_USER_ATTRIBUTES) {
/* If the user lacks admin access, don't set restriction attributes. */
if (!hasAdmin) {
attributes.remove(attribute);
continue;
}
/* Replace empty values with null values. */
String value = attributes.get(attribute); String value = attributes.get(attribute);
if (value != null && value.isEmpty()) if (value != null && value.isEmpty())
attributes.put(attribute, null); attributes.put(attribute, null);

23
extensions/guacamole-auth-restrict/src/main/java/org/apache/guacamole/auth/restrict/user/RestrictedUserContext.java
View File

@@ -34,9 +34,12 @@ import org.apache.guacamole.net.auth.ConnectionGroup;
import org.apache.guacamole.net.auth.DecoratingDirectory; import org.apache.guacamole.net.auth.DecoratingDirectory;
import org.apache.guacamole.net.auth.DelegatingUserContext; import org.apache.guacamole.net.auth.DelegatingUserContext;
import org.apache.guacamole.net.auth.Directory; import org.apache.guacamole.net.auth.Directory;
import org.apache.guacamole.net.auth.Permissions;
import org.apache.guacamole.net.auth.User; import org.apache.guacamole.net.auth.User;
import org.apache.guacamole.net.auth.UserContext; import org.apache.guacamole.net.auth.UserContext;
import org.apache.guacamole.net.auth.UserGroup; import org.apache.guacamole.net.auth.UserGroup;
import org.apache.guacamole.net.auth.permission.ObjectPermission;
import org.apache.guacamole.net.auth.permission.SystemPermission;
import org.slf4j.Logger; import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
@@ -60,7 +63,7 @@ public class RestrictedUserContext extends DelegatingUserContext {
* The identifiers effective groups of the user associated with this context. * The identifiers effective groups of the user associated with this context.
*/ */
private final Set<String> effectiveUserGroups; private final Set<String> effectiveUserGroups;
/** /**
* Creates a new RestrictedUserContext which wraps the given UserContext, * Creates a new RestrictedUserContext which wraps the given UserContext,
* providing additional control for user logins and connections. * providing additional control for user logins and connections.
@@ -133,11 +136,25 @@ public class RestrictedUserContext extends DelegatingUserContext {
@Override @Override
public Directory<User> getUserDirectory() throws GuacamoleException { public Directory<User> getUserDirectory() throws GuacamoleException {
// Pull permissions of the current logged-in user.
Permissions currentPermissions = self().getEffectivePermissions();
boolean isAdmin = currentPermissions.getSystemPermissions().hasPermission(
SystemPermission.Type.ADMINISTER
);
Collection<String> adminIdentifiers =
currentPermissions.getUserPermissions().getAccessibleObjects(
Collections.singletonList(ObjectPermission.Type.ADMINISTER), super.getUserDirectory().getIdentifiers());
return new DecoratingDirectory<User>(super.getUserDirectory()) { return new DecoratingDirectory<User>(super.getUserDirectory()) {
@Override @Override
protected User decorate(User object) { protected User decorate(User object) throws GuacamoleException {
return new RestrictedUser(object, remoteAddress);
// Check and see if the logged in user has admin privileges -
// either system-level or for that particular object.
boolean hasAdmin = isAdmin || adminIdentifiers.contains(object.getIdentifier());
return new RestrictedUser(object, remoteAddress, hasAdmin);
} }
@Override @Override