mirror of
https://github.com/gyurix1968/guacamole-client.git
synced 2025-09-06 05:07:41 +00:00
Merge changes from patch branch back to main.
This commit is contained in:
Michael Jumper
@@ -32,7 +32,7 @@
|
||||
<parent>
|
||||
<groupId>org.apache.guacamole</groupId>
|
||||
<artifactId>guacamole-auth-jdbc</artifactId>
|
||||
<version>1.5.5</version>
|
||||
<version>1.6.0</version>
|
||||
<relativePath>../../</relativePath>
|
||||
</parent>
|
||||
|
||||
|
||||
@@ -483,8 +483,8 @@ public class ConnectionService extends ModeledChildDirectoryObjectService<Modele
|
||||
|
||||
List<ConnectionRecordModel> searchResults;
|
||||
|
||||
// Bypass permission checks if the user is privileged
|
||||
if (user.isPrivileged())
|
||||
// Bypass permission checks if the user is privileged or has System-level audit permissions
|
||||
if (user.isPrivileged() || user.getUser().getEffectivePermissions().getSystemPermissions().hasPermission(SystemPermission.Type.AUDIT))
|
||||
searchResults = connectionRecordMapper.search(identifier,
|
||||
recordIdentifier, requiredContents, sortPredicates, limit);
|
||||
|
||||
|
||||
@@ -21,6 +21,7 @@ package org.apache.guacamole.auth.jdbc.tunnel;
|
||||
|
||||
import com.google.inject.Inject;
|
||||
import com.google.inject.Provider;
|
||||
import java.text.SimpleDateFormat;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Collection;
|
||||
import java.util.Collections;
|
||||
@@ -81,6 +82,56 @@ public abstract class AbstractGuacamoleTunnelService implements GuacamoleTunnelS
|
||||
*/
|
||||
private final Logger logger = LoggerFactory.getLogger(AbstractGuacamoleTunnelService.class);
|
||||
|
||||
/**
|
||||
* The prefix that will be used to generate JDBC tokens.
|
||||
*/
|
||||
private final String JDBC_TOKEN_PREFIX = "JDBC_";
|
||||
|
||||
/**
|
||||
* The token that contains the date the connection was started.
|
||||
*/
|
||||
private final String JDBC_DATE_TOKEN = JDBC_TOKEN_PREFIX + "STARTDATE";
|
||||
|
||||
/**
|
||||
* The format of the date in the date token.
|
||||
*/
|
||||
private final String JDBC_DATE_TOKEN_FORMAT = "yyyyMMdd";
|
||||
|
||||
/**
|
||||
* The token that contains the start time of the connection.
|
||||
*/
|
||||
private final String JDBC_TIME_TOKEN = JDBC_TOKEN_PREFIX + "STARTTIME";
|
||||
|
||||
/**
|
||||
* The format of the time in the time token.
|
||||
*/
|
||||
private final String JDBC_TIME_TOKEN_FORMAT = "HHmmss";
|
||||
|
||||
/**
|
||||
* The token that contains the connection name.
|
||||
*/
|
||||
private final String JDBC_CONNECTION_NAME_TOKEN = JDBC_TOKEN_PREFIX + "CONNECTION_NAME";
|
||||
|
||||
/**
|
||||
* The token that contains the connection identifier.
|
||||
*/
|
||||
private final String JDBC_CONNECTION_ID_TOKEN = JDBC_TOKEN_PREFIX + "CONNECTION_ID";
|
||||
|
||||
/**
|
||||
* The token that contains the hostname configured in the connection parameters.
|
||||
*/
|
||||
private final String JDBC_CONNECTION_HOSTNAME_TOKEN = JDBC_TOKEN_PREFIX + "HOSTNAME";
|
||||
|
||||
/**
|
||||
* The name of the parameter containing the hostname in the configuration.
|
||||
*/
|
||||
private final String JDBC_CONNECTION_HOSTNAME_TOKEN_PARAMETER = "hostname";
|
||||
|
||||
/**
|
||||
* The token containing the protocol configured in the connection.
|
||||
*/
|
||||
private final String JDBC_CONNECTION_PROTOCOL_TOKEN = JDBC_TOKEN_PREFIX + "PROTOCOL";
|
||||
|
||||
/**
|
||||
* Mapper for accessing connections.
|
||||
*/
|
||||
@@ -121,7 +172,7 @@ public abstract class AbstractGuacamoleTunnelService implements GuacamoleTunnelS
|
||||
* All active connections through the tunnel having a given UUID.
|
||||
*/
|
||||
private final Map<String, ActiveConnectionRecord> activeTunnels =
|
||||
new ConcurrentHashMap<String, ActiveConnectionRecord>();
|
||||
new ConcurrentHashMap<>();
|
||||
|
||||
/**
|
||||
* All active connections to a connection having a given identifier.
|
||||
@@ -415,7 +466,7 @@ public abstract class AbstractGuacamoleTunnelService implements GuacamoleTunnelS
|
||||
private GuacamoleTunnel assignGuacamoleTunnel(ActiveConnectionRecord activeConnection,
|
||||
GuacamoleClientInformation info, Map<String, String> tokens,
|
||||
boolean interceptErrors) throws GuacamoleException {
|
||||
|
||||
|
||||
// Record new active connection
|
||||
Runnable cleanupTask = new ConnectionCleanupTask(activeConnection);
|
||||
try {
|
||||
@@ -459,9 +510,25 @@ public abstract class AbstractGuacamoleTunnelService implements GuacamoleTunnelS
|
||||
config = getGuacamoleConfiguration(connection, connectionID, activeConnection.getSharingProfile());
|
||||
|
||||
}
|
||||
|
||||
// Include history record UUID as token
|
||||
|
||||
// Make a copy of the tokens
|
||||
tokens = new HashMap<>(tokens);
|
||||
|
||||
// Set up JDBC-specific tokens
|
||||
tokens.put(JDBC_DATE_TOKEN,
|
||||
new SimpleDateFormat(JDBC_DATE_TOKEN_FORMAT)
|
||||
.format(activeConnection.getStartDate()));
|
||||
tokens.put(JDBC_TIME_TOKEN,
|
||||
new SimpleDateFormat(JDBC_TIME_TOKEN_FORMAT)
|
||||
.format(activeConnection.getStartDate()));
|
||||
tokens.put(JDBC_CONNECTION_NAME_TOKEN, activeConnection.getConnectionName());
|
||||
tokens.put(JDBC_CONNECTION_ID_TOKEN, activeConnection.getConnectionIdentifier());
|
||||
tokens.put(JDBC_CONNECTION_HOSTNAME_TOKEN,
|
||||
activeConnection.getConnection().getConfiguration().getParameter(JDBC_CONNECTION_HOSTNAME_TOKEN_PARAMETER));
|
||||
tokens.put(JDBC_CONNECTION_PROTOCOL_TOKEN,
|
||||
activeConnection.getConnection().getConfiguration().getProtocol());
|
||||
|
||||
// Include history record UUID as token
|
||||
tokens.put("HISTORY_UUID", activeConnection.getUUID().toString());
|
||||
|
||||
// Build token filter containing credential tokens
|
||||
|
||||
@@ -611,8 +611,8 @@ public class UserService extends ModeledDirectoryObjectService<ModeledUser, User
|
||||
|
||||
List<ActivityRecordModel> searchResults;
|
||||
|
||||
// Bypass permission checks if the user is privileged
|
||||
if (user.isPrivileged())
|
||||
// Bypass permission checks if the user is privileged or has System-level audit permissions
|
||||
if (user.isPrivileged() || user.getUser().getEffectivePermissions().getSystemPermissions().hasPermission(SystemPermission.Type.AUDIT))
|
||||
searchResults = userRecordMapper.search(username, recordIdentifier,
|
||||
requiredContents, sortPredicates, limit);
|
||||
|
||||
|
||||
@@ -32,7 +32,7 @@
|
||||
<parent>
|
||||
<groupId>org.apache.guacamole</groupId>
|
||||
<artifactId>guacamole-auth-jdbc</artifactId>
|
||||
<version>1.5.5</version>
|
||||
<version>1.6.0</version>
|
||||
<relativePath>../../</relativePath>
|
||||
</parent>
|
||||
|
||||
@@ -42,21 +42,21 @@
|
||||
<dependency>
|
||||
<groupId>org.apache.guacamole</groupId>
|
||||
<artifactId>guacamole-auth-jdbc-mysql</artifactId>
|
||||
<version>1.5.5</version>
|
||||
<version>1.6.0</version>
|
||||
</dependency>
|
||||
|
||||
<!-- PostgreSQL Authentication Extension -->
|
||||
<dependency>
|
||||
<groupId>org.apache.guacamole</groupId>
|
||||
<artifactId>guacamole-auth-jdbc-postgresql</artifactId>
|
||||
<version>1.5.5</version>
|
||||
<version>1.6.0</version>
|
||||
</dependency>
|
||||
|
||||
<!-- SQL Server Authentication Extension -->
|
||||
<dependency>
|
||||
<groupId>org.apache.guacamole</groupId>
|
||||
<artifactId>guacamole-auth-jdbc-sqlserver</artifactId>
|
||||
<version>1.5.5</version>
|
||||
<version>1.6.0</version>
|
||||
</dependency>
|
||||
|
||||
</dependencies>
|
||||
|
||||
@@ -32,7 +32,7 @@
|
||||
<parent>
|
||||
<groupId>org.apache.guacamole</groupId>
|
||||
<artifactId>guacamole-auth-jdbc</artifactId>
|
||||
<version>1.5.5</version>
|
||||
<version>1.6.0</version>
|
||||
<relativePath>../../</relativePath>
|
||||
</parent>
|
||||
|
||||
@@ -49,7 +49,7 @@
|
||||
<dependency>
|
||||
<groupId>org.apache.guacamole</groupId>
|
||||
<artifactId>guacamole-auth-jdbc-base</artifactId>
|
||||
<version>1.5.5</version>
|
||||
<version>1.6.0</version>
|
||||
</dependency>
|
||||
|
||||
</dependencies>
|
||||
|
||||
@@ -459,6 +459,7 @@ CREATE TABLE `guacamole_system_permission` (
|
||||
'CREATE_SHARING_PROFILE',
|
||||
'CREATE_USER',
|
||||
'CREATE_USER_GROUP',
|
||||
'AUDIT',
|
||||
'ADMINISTER') NOT NULL,
|
||||
|
||||
PRIMARY KEY (`entity_id`,`permission`),
|
||||
@@ -611,3 +612,4 @@ CREATE TABLE guacamole_user_password_history (
|
||||
REFERENCES `guacamole_user` (`user_id`) ON DELETE CASCADE
|
||||
|
||||
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
|
||||
|
||||
|
||||
@@ -51,3 +51,4 @@ FROM (
|
||||
JOIN guacamole_entity ON permissions.username = guacamole_entity.name AND guacamole_entity.type = 'USER'
|
||||
JOIN guacamole_entity affected ON permissions.affected_username = affected.name AND guacamole_entity.type = 'USER'
|
||||
JOIN guacamole_user ON guacamole_user.entity_id = affected.entity_id;
|
||||
|
||||
|
||||
@@ -0,0 +1,32 @@
|
||||
--
|
||||
-- Licensed to the Apache Software Foundation (ASF) under one
|
||||
-- or more contributor license agreements. See the NOTICE file
|
||||
-- distributed with this work for additional information
|
||||
-- regarding copyright ownership. The ASF licenses this file
|
||||
-- to you under the Apache License, Version 2.0 (the
|
||||
-- "License"); you may not use this file except in compliance
|
||||
-- with the License. You may obtain a copy of the License at
|
||||
--
|
||||
-- http://www.apache.org/licenses/LICENSE-2.0
|
||||
--
|
||||
-- Unless required by applicable law or agreed to in writing,
|
||||
-- software distributed under the License is distributed on an
|
||||
-- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
-- KIND, either express or implied. See the License for the
|
||||
-- specific language governing permissions and limitations
|
||||
-- under the License.
|
||||
--
|
||||
|
||||
--
|
||||
-- Add new system-level permission
|
||||
--
|
||||
|
||||
ALTER TABLE `guacamole_system_permission`
|
||||
MODIFY `permission` enum('CREATE_CONNECTION',
|
||||
'CREATE_CONNECTION_GROUP',
|
||||
'CREATE_SHARING_PROFILE',
|
||||
'CREATE_USER',
|
||||
'CREATE_USER_GROUP',
|
||||
'AUDIT',
|
||||
'ADMINISTER') NOT NULL;
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
|
||||
"guacamoleVersion" : "1.5.5",
|
||||
"guacamoleVersion" : "1.6.0",
|
||||
|
||||
"name" : "MySQL Authentication",
|
||||
"namespace" : "mysql",
|
||||
|
||||
@@ -32,7 +32,7 @@
|
||||
<parent>
|
||||
<groupId>org.apache.guacamole</groupId>
|
||||
<artifactId>guacamole-auth-jdbc</artifactId>
|
||||
<version>1.5.5</version>
|
||||
<version>1.6.0</version>
|
||||
<relativePath>../../</relativePath>
|
||||
</parent>
|
||||
|
||||
@@ -49,7 +49,7 @@
|
||||
<dependency>
|
||||
<groupId>org.apache.guacamole</groupId>
|
||||
<artifactId>guacamole-auth-jdbc-base</artifactId>
|
||||
<version>1.5.5</version>
|
||||
<version>1.6.0</version>
|
||||
</dependency>
|
||||
|
||||
</dependencies>
|
||||
|
||||
@@ -56,6 +56,7 @@ CREATE TYPE guacamole_system_permission_type AS ENUM(
|
||||
'CREATE_SHARING_PROFILE',
|
||||
'CREATE_USER',
|
||||
'CREATE_USER_GROUP',
|
||||
'AUDIT',
|
||||
'ADMINISTER'
|
||||
);
|
||||
|
||||
|
||||
@@ -53,3 +53,4 @@ FROM (
|
||||
JOIN guacamole_entity ON permissions.username = guacamole_entity.name AND guacamole_entity.type = 'USER'
|
||||
JOIN guacamole_entity affected ON permissions.affected_username = affected.name AND guacamole_entity.type = 'USER'
|
||||
JOIN guacamole_user ON guacamole_user.entity_id = affected.entity_id;
|
||||
|
||||
|
||||
@@ -0,0 +1,27 @@
|
||||
--
|
||||
-- Licensed to the Apache Software Foundation (ASF) under one
|
||||
-- or more contributor license agreements. See the NOTICE file
|
||||
-- distributed with this work for additional information
|
||||
-- regarding copyright ownership. The ASF licenses this file
|
||||
-- to you under the Apache License, Version 2.0 (the
|
||||
-- "License"); you may not use this file except in compliance
|
||||
-- with the License. You may obtain a copy of the License at
|
||||
--
|
||||
-- http://www.apache.org/licenses/LICENSE-2.0
|
||||
--
|
||||
-- Unless required by applicable law or agreed to in writing,
|
||||
-- software distributed under the License is distributed on an
|
||||
-- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
-- KIND, either express or implied. See the License for the
|
||||
-- specific language governing permissions and limitations
|
||||
-- under the License.
|
||||
--
|
||||
|
||||
--
|
||||
-- Add new system-level audit permission
|
||||
--
|
||||
|
||||
ALTER TYPE guacamole_system_permission_type
|
||||
ADD VALUE 'AUDIT'
|
||||
BEFORE 'ADMINISTER';
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
|
||||
"guacamoleVersion" : "1.5.5",
|
||||
"guacamoleVersion" : "1.6.0",
|
||||
|
||||
"name" : "PostgreSQL Authentication",
|
||||
"namespace" : "postgresql",
|
||||
|
||||
@@ -32,7 +32,7 @@
|
||||
<parent>
|
||||
<groupId>org.apache.guacamole</groupId>
|
||||
<artifactId>guacamole-auth-jdbc</artifactId>
|
||||
<version>1.5.5</version>
|
||||
<version>1.6.0</version>
|
||||
<relativePath>../../</relativePath>
|
||||
</parent>
|
||||
|
||||
@@ -49,7 +49,7 @@
|
||||
<dependency>
|
||||
<groupId>org.apache.guacamole</groupId>
|
||||
<artifactId>guacamole-auth-jdbc-base</artifactId>
|
||||
<version>1.5.5</version>
|
||||
<version>1.6.0</version>
|
||||
</dependency>
|
||||
|
||||
</dependencies>
|
||||
|
||||
@@ -77,6 +77,7 @@ CREATE RULE [guacamole_system_permission_list] AS @list IN (
|
||||
'CREATE_SHARING_PROFILE',
|
||||
'CREATE_USER',
|
||||
'CREATE_USER_GROUP',
|
||||
'AUDIT',
|
||||
'ADMINISTER'
|
||||
);
|
||||
GO
|
||||
|
||||
@@ -61,3 +61,4 @@ JOIN [guacamole_entity] ON [permissions].[username] = [guacamole_enti
|
||||
JOIN [guacamole_entity] [affected] ON [permissions].[affected_username] = [affected].[name] AND [guacamole_entity].[type] = 'USER'
|
||||
JOIN [guacamole_user] ON [guacamole_user].[entity_id] = [affected].[entity_id];
|
||||
GO
|
||||
|
||||
|
||||
@@ -0,0 +1,43 @@
|
||||
--
|
||||
-- Licensed to the Apache Software Foundation (ASF) under one
|
||||
-- or more contributor license agreements. See the NOTICE file
|
||||
-- distributed with this work for additional information
|
||||
-- regarding copyright ownership. The ASF licenses this file
|
||||
-- to you under the Apache License, Version 2.0 (the
|
||||
-- "License"); you may not use this file except in compliance
|
||||
-- with the License. You may obtain a copy of the License at
|
||||
--
|
||||
-- http://www.apache.org/licenses/LICENSE-2.0
|
||||
--
|
||||
-- Unless required by applicable law or agreed to in writing,
|
||||
-- software distributed under the License is distributed on an
|
||||
-- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
-- KIND, either express or implied. See the License for the
|
||||
-- specific language governing permissions and limitations
|
||||
-- under the License.
|
||||
--
|
||||
|
||||
--
|
||||
-- Add new system-level audit permission
|
||||
--
|
||||
|
||||
EXEC sp_unbindrule 'guacamole_system_permission';
|
||||
DROP RULE [guacamole_system_permission_list];
|
||||
GO
|
||||
|
||||
CREATE RULE [guacamole_system_permission_list] AS @list IN (
|
||||
'CREATE_CONNECTION',
|
||||
'CREATE_CONNECTION_GROUP',
|
||||
'CREATE_SHARING_PROFILE',
|
||||
'CREATE_USER',
|
||||
'CREATE_USER_GROUP',
|
||||
'AUDIT',
|
||||
'ADMINISTER'
|
||||
);
|
||||
GO
|
||||
|
||||
EXEC sp_bindrule
|
||||
'guacamole_system_permission_list',
|
||||
'guacamole_system_permission';
|
||||
GO
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
|
||||
"guacamoleVersion" : "1.5.5",
|
||||
"guacamoleVersion" : "1.6.0",
|
||||
|
||||
"name" : "SQLServer Authentication",
|
||||
"namespace" : "sqlserver",
|
||||
|
||||
Reference in New Issue
Block a user