From f66c81f351e4cebec8599669363c855a4a1c80ee Mon Sep 17 00:00:00 2001
From: Jean-Benoit Paux <9682558+jbpaux@users.noreply.github.com>
Date: Thu, 16 Sep 2021 10:38:47 +0200
Subject: [PATCH] GUACAMOLE-1418: Add support of SQL Server JDBC plugin in
 Docker Image

---
 guacamole-docker/README.md              |  65 +++++++++-
 guacamole-docker/bin/build-guacamole.sh |  14 +++
 guacamole-docker/bin/initdb.sh          |   8 +-
 guacamole-docker/bin/start.sh           | 153 +++++++++++++++++++++++-
 4 files changed, 229 insertions(+), 11 deletions(-)

diff --git a/guacamole-docker/README.md b/guacamole-docker/README.md
index f7b7abe4c..606269f16 100644
--- a/guacamole-docker/README.md
+++ b/guacamole-docker/README.md
@@ -13,7 +13,7 @@ How to use this image
 
 Using this image will require an existing, running Docker container with the
 [guacd image](https://registry.hub.docker.com/u/guacamole/guacd/), and another
-Docker container providing either a PostgreSQL or MySQL database.
+Docker container providing either a PostgreSQL, MySQL or SQLServer database.
 
 The name of the database and all associated credentials are specified with
 environment variables given when the container is created. All other
@@ -31,9 +31,9 @@ Docker, as well.
 Docker Secrets
 ==============
 The string `_FILE` may be appended to some of the environment variables listed
-below if you are using MySQL or PostgreSQL authentication. This will cause the
-startup script to load the values for those variables from files within
-the container.
+below if you are using MySQL, PostgreSQL or SQLServer authentication. This will
+cause the startup script to load the values for those variables from files
+within the container.
 
 This is useful for specifying sensitive info, ie. passwords for
 the database, in secured files instead of plaintext environment variables. This
@@ -163,6 +163,63 @@ The process for doing this via the `mysql` utility included with MySQL is
 documented in
 [the Guacamole manual](http://guacamole.apache.org/doc/gug/jdbc-auth.html#jdbc-auth-mysql).
 
+Deploying Guacamole with SQLServer authentication
+--------------------------------------------------
+
+    docker run --name some-guacamole --link some-guacd:guacd \
+        --link some-sqlserver:sqlserver      \
+        -e SQLSERVER_DATABASE=guacamole_db  \
+        -e SQLSERVER_USER=guacamole_user    \
+        -e SQLSERVER_PASSWORD=some_password \
+        -e SQLSERVER_DATABASE_FILE=/run/secrets/<secret_name> \
+        -e SQLSERVER_USER_FILE=/run/secrets/<secret_name> \
+        -e SQLSERVER_PASSWORD_FILE=/run/secrets/<secret_name> \
+        -d -p 8080:8080 guacamole/guacamole
+
+Linking Guacamole to SQLServer requires three environment variables. If any of
+these environment variables are omitted, you will receive an error message, and
+the image will stop:
+
+1. `SQLSERVER_DATABASE` - The name of the database to use for Guacamole
+   authentication.
+2. `SQLSERVER_USER` - The user that Guacamole will use to connect to SQLServer.
+3. `SQLSERVER_PASSWORD` - The password that Guacamole will provide when
+   connecting to SQLServer as `SQLSERVER_USER`.
+4. `SQLSERVER_DATABASE_FILE` - The path of the docker secret containing the name
+   of database to use for Guacamole authentication.
+5. `SQLSERVER_USER_FILE` - The path of the docker secret containing the name of
+   the user that Guacamole will use to connect to SQLServer.
+6. `SQLSERVER_PASSWORD_FILE` - The path of the docker secret containing the
+   password that Guacamole will provide when connecting to SQLServer as
+   `SQLSERVER_USER.
+
+### Initializing the SQLServer database
+
+If your database is not already initialized with the Guacamole schema, you will
+need to do so prior to using Guacamole. A convenience script for generating the
+necessary SQL to do this is included in the Guacamole image.
+
+To generate a SQL script which can be used to initialize a fresh SQLServer
+database
+[as documented in the Guacamole manual](http://guacamole.apache.org/doc/gug/jdbc-auth.html#jdbc-auth-sqlserver):
+
+    docker run --rm guacamole/guacamole /opt/guacamole/bin/initdb.sh --sqlserver > initdb.sql
+
+Alternatively, you can use the SQL scripts included with the
+guacamole-auth-jdbc extension from
+[the corresponding release](http://guacamole.apache.org/releases/).
+
+Once this script is generated, you must:
+
+1. Create a database for Guacamole within SQLServer, such as `guacamole_db`.
+2. Run the script on the newly-created database.
+3. Create a user for Guacamole within SQLServer with access to the tables and
+   sequences of this database, such as `guacamole_user`.
+
+The process for doing this via the `sqlcmd` utilities included
+with SQLServer is documented in
+[the Guacamole manual](http://guacamole.apache.org/doc/gug/jdbc-auth.html#jdbc-auth-sqlserver).
+
 Reporting issues
 ================
 
diff --git a/guacamole-docker/bin/build-guacamole.sh b/guacamole-docker/bin/build-guacamole.sh
index d3f6741ac..5efaa3e60 100755
--- a/guacamole-docker/bin/build-guacamole.sh
+++ b/guacamole-docker/bin/build-guacamole.sh
@@ -110,6 +110,20 @@ tar -xz                        \
 echo "Downloading PostgreSQL JDBC driver ..."
 curl -L "https://jdbc.postgresql.org/download/postgresql-9.4-1201.jdbc41.jar" > "$DESTINATION/postgresql/postgresql-9.4-1201.jdbc41.jar"
 
+#
+# Download SQL Server JDBC driver
+#
+
+echo "Downloading SQL Server JDBC driver ..."
+curl -L "https://go.microsoft.com/fwlink/?linkid=2168494&clcid=0x409" | \
+tar -xz                        \
+    -C "$DESTINATION/sqlserver/"   \
+    --wildcards                \
+    --no-anchored              \
+    --no-wildcards-match-slash \
+    --strip-components=2       \
+    "mssql-jdbc-*.jre8.jar"
+
 #
 # Copy LDAP auth extension and schema modifications
 #
diff --git a/guacamole-docker/bin/initdb.sh b/guacamole-docker/bin/initdb.sh
index f56da7467..6031189c9 100755
--- a/guacamole-docker/bin/initdb.sh
+++ b/guacamole-docker/bin/initdb.sh
@@ -26,7 +26,7 @@
 ##
 ## @param DATABASE
 ##     The database to generate the SQL script for. This may be either
-##     "--postgres", for PostgreSQL, or "--mysql" for MySQL.
+##     "--postgres", for PostgreSQL, "--mysql" for MySQL, or "--sqlserver" for Microsoft SQL Server.
 ##
 
 DATABASE="$1"
@@ -37,7 +37,7 @@ DATABASE="$1"
 ##
 incorrect_usage() {
     cat <<END
-USAGE: /opt/guacamole/bin/initdb.sh [--postgres | --mysql]
+USAGE: /opt/guacamole/bin/initdb.sh [--postgres | --mysql | --sqlserver]
 END
     exit 1
 }
@@ -62,6 +62,10 @@ case $DATABASE in
         cat /opt/guacamole/mysql/schema/*.sql
         ;;
 
+    --sqlserver)
+        cat /opt/guacamole/sqlserver/schema/*.sql
+        ;;
+
     *)
         echo "Bad database type: $DATABASE"
         incorrect_usage
diff --git a/guacamole-docker/bin/start.sh b/guacamole-docker/bin/start.sh
index 062e16a06..74497f37b 100755
--- a/guacamole-docker/bin/start.sh
+++ b/guacamole-docker/bin/start.sh
@@ -23,7 +23,7 @@
 ##
 ## Automatically configures and starts Guacamole under Tomcat. Guacamole's
 ## guacamole.properties file will be automatically generated based on the
-## linked database container (either MySQL or PostgreSQL) and the linked guacd
+## linked database container (either MySQL,PostgreSQL or SQLServer) and the linked guacd
 ## container. The Tomcat process will ultimately replace the process of this
 ## script, running in the foreground until terminated.
 ##
@@ -403,6 +403,142 @@ END
 
 }
 
+# Print error message regarding missing required variables for SQLServer authentication
+sqlserver_missing_vars() {
+    cat <<END
+FATAL: Missing required environment variables
+-------------------------------------------------------------------------------
+If using a SQLServer database, you must provide each of the following
+environment variables or their corresponding Docker secrets by appending _FILE
+to the environment variable, and setting the value to the path of the
+corresponding secret:
+
+    SQLSERVER_USER     The user to authenticate as when connecting to
+                       SQLServer.
+
+    SQLSERVER_PASSWORD The password to use when authenticating with SQLServer
+                       as SQLSERVER_USER.
+
+    SQLSERVER_DATABASE The name of the SQLServer database to use for Guacamole
+                       authentication.
+END
+    exit 1;
+}
+
+##
+## Adds properties to guacamole.properties which select the SQLServer
+## authentication provider, and configure it to connect to the linked
+## SQLServer container. If a SQLServer database is explicitly specified using
+## the SQLSERVER_HOSTNAME and SQLSERVER_PORT environment variables, that will
+## be used instead of a linked container.
+##
+associate_sqlserver() {
+
+    # Use linked container if specified
+    if [ -n "$SQLSERVER_NAME" ]; then
+        SQLSERVER_HOSTNAME="$SQLSERVER_PORT_1433_TCP_ADDR"
+        SQLSERVER_PORT="$SQLSERVER_PORT_1433_TCP_PORT"
+    fi
+
+    # Use default port if none specified
+    SQLSERVER_PORT="${SQLSERVER_PORT-1433}"
+
+    # Verify required connection information is present
+    if [ -z "$SQLSERVER_HOSTNAME" -o -z "$SQLSERVER_PORT" ]; then
+        cat <<END
+FATAL: Missing SQLSERVER_HOSTNAME or "sqlserver" link.
+-------------------------------------------------------------------------------
+If using a SQLServer database, you must either:
+
+(a) Explicitly link that container with the link named "sqlserver".
+
+(b) If not using a Docker container for SQLServer, explicitly specify the TCP
+    connection to your database using the following environment variables:
+
+    SQLSERVER_HOSTNAME The hostname or IP address of the SQLServer server. If
+                       not using a SQLServer Docker container and
+                       corresponding link, this environment variable is
+                       *REQUIRED*.
+
+    SQLSERVER_PORT     The port on which the SQLServer server is listening for
+                       TCP connections. This environment variable is option. If
+                       omitted, the standard SQLServer port of 1433 will be
+                       used.
+END
+        exit 1;
+    fi
+
+    # Verify that the required Docker secrets are present, else, default to their normal environment variables
+    if [ -n "$SQLSERVER_USER_FILE" ]; then
+        set_property "sqlserver-username" "`cat "$SQLSERVER_USER_FILE"`"
+    elif [ -n "$SQLSERVER_USER" ]; then
+        set_property "sqlserver-username" "$SQLSERVER_USER"
+    else
+        sqlserver_missing_vars
+        exit 1;
+    fi
+
+    if [ -n "$SQLSERVER_PASSWORD_FILE" ]; then
+        set_property "sqlserver-password" "`cat "$SQLSERVER_PASSWORD_FILE"`"
+    elif [ -n "$SQLSERVER_PASSWORD" ]; then
+        set_property "sqlserver-password" "$SQLSERVER_PASSWORD"
+    else
+        sqlserver_missing_vars
+        exit 1;
+    fi
+
+    if [ -n "$SQLSERVER_DATABASE_FILE" ]; then
+        set_property "sqlserver-database" "`cat "$SQLSERVER_DATABASE_FILE"`"
+    elif [ -n "$SQLSERVER_DATABASE" ]; then
+        set_property "sqlserver-database" "$SQLSERVER_DATABASE"
+    else
+        sqlserver_missing_vars
+        exit 1;
+    fi
+
+    # Update config file
+    set_property "sqlserver-hostname" "$SQLSERVER_HOSTNAME"
+    set_property "sqlserver-port"     "$SQLSERVER_PORT"
+    set_property "sqlserver-driver"   "microsoft2005"
+
+    set_optional_property               \
+        "sqlserver-absolute-max-connections" \
+        "$SQLSERVER_ABSOLUTE_MAX_CONNECTIONS"
+
+    set_optional_property                    \
+        "sqlserver-default-max-connections" \
+        "$SQLSERVER_DEFAULT_MAX_CONNECTIONS"
+
+    set_optional_property                          \
+        "sqlserver-default-max-group-connections" \
+        "$SQLSERVER_DEFAULT_MAX_GROUP_CONNECTIONS"
+
+    set_optional_property                             \
+        "sqlserver-default-max-connections-per-user" \
+        "$SQLSERVER_DEFAULT_MAX_CONNECTIONS_PER_USER"
+
+    set_optional_property                                   \
+        "sqlserver-default-max-group-connections-per-user" \
+        "$SQLSERVER_DEFAULT_MAX_GROUP_CONNECTIONS_PER_USER"
+
+    set_optional_property          \
+        "sqlserver-user-required" \
+        "$SQLSERVER_USER_REQUIRED"
+
+    set_optional_property                  \
+        "sqlserver-auto-create-accounts"  \
+        "$SQLSERVERQL_AUTO_CREATE_ACCOUNTS"
+
+    set_optional_property      \
+        "sqlserver-instance"  \
+        "$SQLSERVERQL_INSTANCE"
+
+    # Add required .jar files to GUACAMOLE_LIB and GUACAMOLE_EXT
+    ln -s /opt/guacamole/sqlserver/mssql-jdbc-*.jar "$GUACAMOLE_LIB"
+    ln -s /opt/guacamole/sqlserver/guacamole-auth-*.jar "$GUACAMOLE_EXT"
+
+}
+
 ##
 ## Adds properties to guacamole.properties which select the LDAP
 ## authentication provider, and configure it to connect to the specified LDAP
@@ -813,6 +949,12 @@ if [ -n "$POSTGRES_DATABASE" -o -n "$POSTGRES_DATABASE_FILE" ]; then
     INSTALLED_AUTH="$INSTALLED_AUTH postgres"
 fi
 
+# Use SQLServer if database specified
+if [ -n "$SQLSERVER_DATABASE" -o -n "$SQLSERVER_DATABASE_FILE" ]; then
+    associate_sqlserver
+    INSTALLED_AUTH="$INSTALLED_AUTH sqlserver"
+fi
+
 # Use LDAP directory if specified
 if [ -n "$LDAP_HOSTNAME" ]; then
     associate_ldap
@@ -840,10 +982,11 @@ if [ -z "$INSTALLED_AUTH" -a -z "$GUACAMOLE_HOME_TEMPLATE" ]; then
 FATAL: No authentication configured
 -------------------------------------------------------------------------------
 The Guacamole Docker container needs at least one authentication mechanism in
-order to function, such as a MySQL database, PostgreSQL database, LDAP
-directory or RADIUS server. Please specify at least the MYSQL_DATABASE or
-POSTGRES_DATABASE environment variables, or check Guacamole's Docker
-documentation regarding configuring LDAP and/or custom extensions.
+order to function, such as a MySQL database, PostgreSQL database, SQLServer
+database, LDAP directory or RADIUS server. Please specify at least the
+MYSQL_DATABASE or POSTGRES_DATABASE or SQLSERVER_DATABASE environment variables,
+or check Guacamole's Docker documentation regarding configuring LDAP and/or
+custom extensions.
 END
     exit 1;
 fi