GUACAMOLE-524: Remove Attributes interface from AuthenticatedUser. Rely instead on tokens injected via decoration of connections.

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/ModeledAuthenticatedUser.java

@@ -79,7 +79,6 @@ public class ModeledAuthenticatedUser extends RemoteAuthenticatedUser {
         super(authenticatedUser.getAuthenticationProvider(), authenticatedUser.getCredentials(), authenticatedUser.getEffectiveUserGroups());
         this.modelAuthenticationProvider = modelAuthenticationProvider;
         this.user = user;
-        super.setAttributes(authenticatedUser.getAttributes());
     }
 
     /**

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/RemoteAuthenticatedUser.java

@@ -19,7 +19,6 @@
 
 package org.apache.guacamole.auth.jdbc.user;
 
-import java.util.Map;
 import java.util.Collections;
 import java.util.Set;
 import org.apache.guacamole.net.auth.AuthenticatedUser;
@@ -52,16 +51,6 @@ public abstract class RemoteAuthenticatedUser implements AuthenticatedUser {
      */
     private final Set<String> effectiveGroups;
 
-    @Override
-    public Map<String, String> getAttributes() {
-        return Collections.<String, String>emptyMap();
-    }
-
-    @Override
-    public void setAttributes(Map<String, String> attributes) {
-        // No attributes supported
-    }
-
     /**
      * Creates a new RemoteAuthenticatedUser, deriving the associated remote
      * host from the given credentials.

extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/AuthenticationProviderService.java

@@ -53,6 +53,12 @@ public class AuthenticationProviderService {
      */
     private final Logger logger = LoggerFactory.getLogger(AuthenticationProviderService.class);
 
+    /**
+     * The prefix string to add to each parameter token generated from an LDAP
+     * attribute name.
+     */
+    private static final String LDAP_ATTRIBUTE_TOKEN_PREFIX = "LDAP_ATTR_";
+
     /**
      * Service for creating and managing connections to LDAP servers.
      */
@@ -233,7 +239,7 @@ public class AuthenticationProviderService {
         try {
             // Return AuthenticatedUser if bind succeeds
             LDAPAuthenticatedUser authenticatedUser = authenticatedUserProvider.get();
-            authenticatedUser.init(credentials, getLDAPAttributes(ldapConnection, credentials.getUsername()));
+            authenticatedUser.init(credentials, getAttributeTokens(ldapConnection, credentials.getUsername()));
 
             return authenticatedUser;
 
@@ -246,43 +252,44 @@ public class AuthenticationProviderService {
     }
 
     /**
-     * Returns all custom LDAP attributes on the user currently bound under
-     * the given LDAP connection. The custom attributes are specified in
-     * guacamole.properties.  If no attributes are specified or none are
+     * Returns parameter tokens generated from LDAP attributes on the user
+     * currently bound under the given LDAP connection. The attributes to be
+     * converted into parameter tokens must be explicitly listed in
+     * guacamole.properties. If no attributes are specified or none are
      * found on the LDAP user object, an empty map is returned.
      *
      * @param ldapConnection
-     *     LDAP connection to find the custom LDAP attributes.
+     *     LDAP connection to use to read the attributes of the user.
      *
      * @param username
-     *     The username of the user whose attributes are queried.
+     *     The username of the user whose attributes are to be queried.
      *
      * @return
-     *     All attributes on the user currently bound under the
-     *     given LDAP connection, as a map of attribute name to
-     *     corresponding attribute value, or an empty map if no
-     *     attributes are specified or none are found on the user
-     *     object.
+     *     A map of parameter tokens generated from attributes on the user
+     *     currently bound under the given LDAP connection, as a map of token
+     *     name to corresponding value, or an empty map if no attributes are
+     *     specified or none are found on the user object.
      *
      * @throws GuacamoleException
      *     If an error occurs retrieving the user DN or the attributes.
      */
-    private Map<String, String> getLDAPAttributes(LDAPConnection ldapConnection,
+    private Map<String, String> getAttributeTokens(LDAPConnection ldapConnection,
             String username) throws GuacamoleException {
 
         // Get attributes from configuration information
         List<String> attrList = confService.getAttributes();
 
         // If there are no attributes there is no reason to search LDAP
-        if (attrList == null || attrList.isEmpty())
+        if (attrList.isEmpty())
             return Collections.<String, String>emptyMap();
 
         // Build LDAP query parameters
         String[] attrArray = attrList.toArray(new String[attrList.size()]);
         String userDN = getUserBindDN(username);
 
-        Map<String, String> attrMap = new HashMap<String, String>();
+        Map<String, String> tokens = new HashMap<String, String>();
         try {
+
             // Get LDAP attributes by querying LDAP
             LDAPEntry userEntry = ldapConnection.read(userDN, attrArray);
             if (userEntry == null)
@@ -292,17 +299,19 @@ public class AuthenticationProviderService {
             if (attrSet == null)
                 return Collections.<String, String>emptyMap();
 
-            // Add each attribute into Map
+            // Convert each retrieved attribute into a corresponding token
             for (Object attrObj : attrSet) {
                 LDAPAttribute attr = (LDAPAttribute)attrObj;
-                attrMap.put(attr.getName(), attr.getStringValue());
+                tokens.put(LDAP_ATTRIBUTE_TOKEN_PREFIX + attr.getName(), attr.getStringValue());
             }
+
         }
         catch (LDAPException e) {
-            throw new GuacamoleServerException("Error while querying for User Attributes.", e);
+            throw new GuacamoleServerException("Could not query LDAP user attributes.", e);
         }
 
-        return attrMap;
+        return tokens;
+
     }
 
     /**

extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ConfigurationService.java

@@ -355,7 +355,8 @@ public class ConfigurationService {
      */
     public List<String> getAttributes() throws GuacamoleException {
         return environment.getProperty(
-            LDAPGuacamoleProperties.LDAP_USER_ATTRIBUTES
+            LDAPGuacamoleProperties.LDAP_USER_ATTRIBUTES,
+            Collections.<String>emptyList()
         );
     }
     

extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPAuthenticationProvider.java

@@ -23,9 +23,11 @@ package org.apache.guacamole.auth.ldap;
 import com.google.inject.Guice;
 import com.google.inject.Injector;
 import org.apache.guacamole.GuacamoleException;
+import org.apache.guacamole.auth.ldap.user.LDAPAuthenticatedUser;
 import org.apache.guacamole.net.auth.AbstractAuthenticationProvider;
 import org.apache.guacamole.net.auth.AuthenticatedUser;
 import org.apache.guacamole.net.auth.Credentials;
+import org.apache.guacamole.net.auth.TokenInjectingUserContext;
 import org.apache.guacamole.net.auth.UserContext;
 
 /**
@@ -85,4 +87,19 @@ public class LDAPAuthenticationProvider extends AbstractAuthenticationProvider {
 
     }
 
+    @Override
+    public UserContext decorate(UserContext context,
+            AuthenticatedUser authenticatedUser, Credentials credentials)
+            throws GuacamoleException {
+
+        // Only decorate if the user authenticated against LDAP
+        if (!(authenticatedUser instanceof LDAPAuthenticatedUser))
+            return context;
+
+        // Apply LDAP-specific tokens to all connections / connection groups
+        return new TokenInjectingUserContext(context,
+                ((LDAPAuthenticatedUser) authenticatedUser).getTokens());
+
+    }
+
 }

extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/connection/ConnectionService.java

@@ -35,8 +35,10 @@ import org.apache.guacamole.auth.ldap.ConfigurationService;
 import org.apache.guacamole.auth.ldap.EscapingService;
 import org.apache.guacamole.GuacamoleException;
 import org.apache.guacamole.GuacamoleServerException;
+import org.apache.guacamole.auth.ldap.user.LDAPAuthenticatedUser;
 import org.apache.guacamole.net.auth.AuthenticatedUser;
 import org.apache.guacamole.net.auth.Connection;
+import org.apache.guacamole.net.auth.TokenInjectingConnection;
 import org.apache.guacamole.net.auth.simple.SimpleConnection;
 import org.apache.guacamole.protocol.GuacamoleConfiguration;
 import org.slf4j.Logger;
@@ -178,6 +180,13 @@ public class ConnectionService {
                     String name = cn.getStringValue();
                     Connection connection = new SimpleConnection(name, name, config);
                     connection.setParentIdentifier(LDAPAuthenticationProvider.ROOT_CONNECTION_GROUP);
+
+                    // Inject LDAP-specific tokens only if LDAP handled user
+                    // authentication
+                    if (user instanceof LDAPAuthenticatedUser)
+                        connection = new TokenInjectingConnection(connection,
+                                ((LDAPAuthenticatedUser) user).getTokens());
+
                     connections.put(name, connection);
 
                 }

extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/LDAPAuthenticatedUser.java

@@ -20,6 +20,7 @@
 package org.apache.guacamole.auth.ldap.user;
 
 import com.google.inject.Inject;
+import java.util.Collections;
 import java.util.Map;
 import org.apache.guacamole.net.auth.AbstractAuthenticatedUser;
 import org.apache.guacamole.net.auth.AuthenticationProvider;
@@ -44,35 +45,40 @@ public class LDAPAuthenticatedUser extends AbstractAuthenticatedUser {
     private Credentials credentials;
 
     /**
-     * Arbitrary attributes associated with this AuthenticatedUser object.
+     * Name/value pairs to be applied as parameter tokens when connections
+     * are established using this AuthenticatedUser.
      */
-    private Map<String, String> attributes;
+    private Map<String, String> tokens;
 
     /**
      * Initializes this AuthenticatedUser using the given credentials and
-     * arbitrary attributes.
+     * connection parameter tokens.
      *
      * @param credentials
      *     The credentials provided when this user was authenticated.
      *
-     * @param attributes
-     *     The map of arbitrary attribute name/value pairs to associate with
-     *     this AuthenticatedUser.
+     * @param tokens
+     *     A Map of all name/value pairs that should be applied as parameter
+     *     tokens when connections are established using the AuthenticatedUser.
      */
-    public void init(Credentials credentials, Map<String, String> attributes) {
+    public void init(Credentials credentials, Map<String, String> tokens) {
         this.credentials = credentials;
-        this.attributes = attributes;
+        this.tokens = Collections.unmodifiableMap(tokens);
         setIdentifier(credentials.getUsername());
     }
 
-    @Override
-    public Map<String, String> getAttributes() {
-        return attributes;
-    }
-
-    @Override
-    public void setAttributes(Map<String, String> attributes) {
-        // All attributes are read-only
+    /**
+     * Returns a Map of all name/value pairs that should be applied as
+     * parameter tokens when connections are established using this
+     * AuthenticatedUser.
+     *
+     * @return
+     *     A Map of all name/value pairs that should be applied as parameter
+     *     tokens when connections are established using this
+     *     AuthenticatedUser.
+     */
+    public Map<String, String> getTokens() {
+        return tokens;
     }
 
     @Override