safebox/guacamole-tomcat
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add .gitignore and .ratignore files for various directories
Some checks failed
continuous-integration/drone/push Build is failing
Details

Browse Source
This commit is contained in:
gyurix
2025-04-29 21:43:12 +02:00
parent 983ecbfc53
commit be9f66dee9
2167 changed files with 254128 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

0
extensions/guacamole-vault/modules/guacamole-vault-base/.ratignore Normal file
View File

81
extensions/guacamole-vault/modules/guacamole-vault-base/pom.xml Normal file
View File

@@ -0,0 +1,81 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>org.apache.guacamole</groupId>
<artifactId>guacamole-vault-base</artifactId>
<packaging>jar</packaging>
<name>guacamole-vault-base</name>
<url>http://guacamole.apache.org/</url>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
</properties>
<parent>
<groupId>org.apache.guacamole</groupId>
<artifactId>guacamole-vault</artifactId>
<version>1.6.0</version>
<relativePath>../../</relativePath>
</parent>
<dependencies>
<!-- Guacamole Extension API -->
<dependency>
<groupId>org.apache.guacamole</groupId>
<artifactId>guacamole-ext</artifactId>
<scope>provided</scope>
</dependency>
<!-- Jackson for YAML support -->
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.dataformat</groupId>
<artifactId>jackson-dataformat-yaml</artifactId>
</dependency>
<!-- JUnit -->
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<scope>test</scope>
</dependency>
<!-- Guice -->
<dependency>
<groupId>com.google.inject</groupId>
<artifactId>guice</artifactId>
</dependency>
<dependency>
<groupId>com.google.inject.extensions</groupId>
<artifactId>guice-assistedinject</artifactId>
</dependency>
</dependencies>
</project>

77
extensions/guacamole-vault/modules/guacamole-vault-base/src/main/java/org/apache/guacamole/vault/VaultAuthenticationProvider.java Normal file
View File

@@ -0,0 +1,77 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.guacamole.vault;
import com.google.inject.Guice;
import com.google.inject.Injector;
import org.apache.guacamole.GuacamoleException;
import org.apache.guacamole.environment.Environment;
import org.apache.guacamole.net.auth.AbstractAuthenticationProvider;
import org.apache.guacamole.net.auth.AuthenticatedUser;
import org.apache.guacamole.net.auth.Credentials;
import org.apache.guacamole.net.auth.UserContext;
import org.apache.guacamole.vault.conf.VaultConfigurationService;
import org.apache.guacamole.vault.user.VaultUserContextFactory;
/**
* AuthenticationProvider implementation which automatically injects tokens
* containing the values of secrets retrieved from a vault.
*/
public abstract class VaultAuthenticationProvider
extends AbstractAuthenticationProvider {
/**
* Factory for creating instances of the relevant vault-specific
* UserContext implementation.
*/
private final VaultUserContextFactory userContextFactory;
/**
* Creates a new VaultAuthenticationProvider which uses the given module to
* configure dependency injection.
*
* @param module
* The module to use to configure dependency injection.
*
* @throws GuacamoleException
* If the properties file containing vault-mapped Guacamole
* configuration properties exists but cannot be read.
*/
protected VaultAuthenticationProvider(VaultAuthenticationProviderModule module)
throws GuacamoleException {
Injector injector = Guice.createInjector(module);
this.userContextFactory = injector.getInstance(VaultUserContextFactory.class);
// Automatically pull properties from vault
Environment environment = injector.getInstance(Environment.class);
VaultConfigurationService confService = injector.getInstance(VaultConfigurationService.class);
environment.addGuacamoleProperties(confService.getProperties());
}
@Override
public UserContext decorate(UserContext context,
AuthenticatedUser authenticatedUser, Credentials credentials)
throws GuacamoleException {
return userContextFactory.create(context);
}
}

99
extensions/guacamole-vault/modules/guacamole-vault-base/src/main/java/org/apache/guacamole/vault/VaultAuthenticationProviderModule.java Normal file
View File

@@ -0,0 +1,99 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.guacamole.vault;
import com.google.inject.AbstractModule;
import com.google.inject.assistedinject.FactoryModuleBuilder;
import org.apache.guacamole.GuacamoleException;
import org.apache.guacamole.environment.Environment;
import org.apache.guacamole.environment.LocalEnvironment;
import org.apache.guacamole.net.auth.UserContext;
import org.apache.guacamole.vault.user.VaultUserContext;
import org.apache.guacamole.vault.user.VaultUserContextFactory;
/**
* Guice module which configures injections specific to the base support for
* key vaults. When adding support for a key vault provider, a subclass
* specific to that vault implementation will need to be created.
*
* @see KsmAuthenticationProviderModule
*/
public abstract class VaultAuthenticationProviderModule extends AbstractModule {
/**
* Guacamole server environment.
*/
private final Environment environment;
/**
* Creates a new VaultAuthenticationProviderModule which configures
* dependency injection for the authentication provider of a vault
* implementation.
*
* @throws GuacamoleException
* If an error occurs while retrieving the Guacamole server
* environment.
*/
public VaultAuthenticationProviderModule() throws GuacamoleException {
this.environment = LocalEnvironment.getInstance();
}
/**
* Configures injections for interfaces which are implementation-specific
* to the vault service in use. Subclasses MUST provide a version of this
* function which binds concrete implementations to the following
* interfaces:
*
* - VaultConfigurationService
* - VaultSecretService
*
* @see KsmAuthenticationProviderModule
*/
protected abstract void configureVault();
/**
* Returns the instance of the Guacamole server environment which will be
* exposed to other classes via dependency injection.
*
* @return
* The instance of the Guacamole server environment which will be
* exposed via dependency injection.
*/
protected Environment getEnvironment() {
return environment;
}
@Override
protected void configure() {
// Bind Guacamole server environment
bind(Environment.class).toInstance(environment);
// Bind factory for creating UserContexts
install(new FactoryModuleBuilder()
.implement(UserContext.class, VaultUserContext.class)
.build(VaultUserContextFactory.class));
// Bind all other implementation-specific interfaces
configureVault();
}
}

72
extensions/guacamole-vault/modules/guacamole-vault-base/src/main/java/org/apache/guacamole/vault/conf/VaultAttributeService.java Normal file
View File

@@ -0,0 +1,72 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.guacamole.vault.conf;
import java.util.Collection;
import org.apache.guacamole.form.Form;
/**
* A service that exposes attributes for the admin UI, specific to the vault
* implementation. Any vault implementation will need to expose the attributes
* necessary for that implementation.
*/
public interface VaultAttributeService {
/**
* Return all custom connection attributes to be exposed through the
* admin UI for the current vault implementation.
*
* @return
* All custom connection attributes to be exposed through the
* admin UI for the current vault implementation.
*/
public Collection<Form> getConnectionAttributes();
/**
* Return all custom connection group attributes to be exposed through the
* admin UI for the current vault implementation.
*
* @return
* All custom connection group attributes to be exposed through the
* admin UI for the current vault implementation.
*/
public Collection<Form> getConnectionGroupAttributes();
/**
* Return all custom user attributes to be exposed through the admin UI for
* the current vault implementation.
*
* @return
* All custom user attributes to be exposed through the admin UI for
* the current vault implementation.
*/
public Collection<Form> getUserAttributes();
/**
* Return all user preference attributes to be exposed through the user
* preferences UI for the current vault implementation.
*
* @return
* All user preference attributes to be exposed through the user
* preferences UI for the current vault implementation.
*/
public Collection<Form> getUserPreferenceAttributes();
}

226
extensions/guacamole-vault/modules/guacamole-vault-base/src/main/java/org/apache/guacamole/vault/conf/VaultConfigurationService.java Normal file
View File

@@ -0,0 +1,226 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.guacamole.vault.conf;
import com.fasterxml.jackson.core.type.TypeReference;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.dataformat.yaml.YAMLFactory;
import com.google.inject.Inject;
import java.io.File;
import java.io.IOException;
import java.util.Collections;
import java.util.Map;
import java.util.Properties;
import java.util.concurrent.ExecutionException;
import org.apache.guacamole.GuacamoleException;
import org.apache.guacamole.GuacamoleServerException;
import org.apache.guacamole.environment.Environment;
import org.apache.guacamole.properties.FileGuacamoleProperties;
import org.apache.guacamole.properties.GuacamoleProperties;
import org.apache.guacamole.properties.PropertiesGuacamoleProperties;
import org.apache.guacamole.vault.VaultAuthenticationProviderModule;
import org.apache.guacamole.vault.secret.VaultSecretService;
/**
* Base class for services which retrieve key vault configuration information.
* A concrete implementation of this class must be defined and bound for key
* vault support to work.
*
* @see VaultAuthenticationProviderModule
*/
public abstract class VaultConfigurationService {
/**
* The Guacamole server environment.
*/
@Inject
private Environment environment;
@Inject
private VaultSecretService secretService;
/**
* ObjectMapper for deserializing YAML.
*/
private final ObjectMapper mapper = new ObjectMapper(new YAMLFactory());
/**
* The name of the file containing a YAML mapping of Guacamole parameter
* token to vault secret name.
*/
private final String tokenMappingFilename;
/**
* The name of the properties file containing Guacamole configuration
* properties. Unlike guacamole.properties, the values of these properties
* are read from the vault. Each property is expected to contain a secret
* name instead of a property value.
*/
private final String propertiesFilename;
/**
* Creates a new VaultConfigurationService which retrieves the token/secret
* mappings and Guacamole configuration properties from the files with the
* given names.
*
* @param tokenMappingFilename
* The name of the YAML file containing the token/secret mapping.
*
* @param propertiesFilename
* The name of the properties file containing Guacamole configuration
* properties whose values are the names of corresponding secrets.
*/
protected VaultConfigurationService(String tokenMappingFilename,
String propertiesFilename) {
this.tokenMappingFilename = tokenMappingFilename;
this.propertiesFilename = propertiesFilename;
}
/**
* Returns a mapping dictating the name of the secret which maps to each
* parameter token. In the returned mapping, the value of each entry is the
* name of the secret to use to populate the value of the parameter token,
* and the key of each entry is the name of the parameter token which
* should receive the value of the secret.
*
* The name of the secret may contain its own tokens, which will be
* substituted using values from the given filter. See the definition of
* VaultUserContext for the names of these tokens and the contexts in which
* they can be applied to secret names.
*
* @return
* A mapping dictating the name of the secret which maps to each
* parameter token.
*
* @throws GuacamoleException
* If the YAML file defining the token/secret mapping cannot be read.
*/
public Map<String, String> getTokenMapping() throws GuacamoleException {
// Get configuration file from GUACAMOLE_HOME
File confFile = new File(environment.getGuacamoleHome(), tokenMappingFilename);
if (!confFile.exists())
return Collections.emptyMap();
// Deserialize token mapping from YAML
try {
Map<String, String> mapping = mapper.readValue(confFile, new TypeReference<Map<String, String>>() {});
if (mapping == null)
return Collections.emptyMap();
return mapping;
}
// Fail if YAML is invalid/unreadable
catch (IOException e) {
throw new GuacamoleServerException("Unable to read token mapping "
+ "configuration file \"" + tokenMappingFilename + "\".", e);
}
}
/**
* Returns a GuacamoleProperties instance which automatically reads the
* values of requested properties from the vault. The name of the secret
* corresponding to a property stored in the vault is defined via the
* properties filename supplied at construction time.
*
* @return
* A GuacamoleProperties instance which automatically reads property
* values from the vault.
*
* @throws GuacamoleException
* If the properties file containing the property/secret mappings
* exists but cannot be read.
*/
public GuacamoleProperties getProperties() throws GuacamoleException {
// Use empty properties if file cannot be found
File propFile = new File(environment.getGuacamoleHome(), propertiesFilename);
if (!propFile.exists())
return new PropertiesGuacamoleProperties(new Properties());
// Automatically pull properties from vault
return new FileGuacamoleProperties(propFile) {
@Override
public String getProperty(String name) throws GuacamoleException {
try {
String secretName = super.getProperty(name);
if (secretName == null)
return null;
return secretService.getValue(secretName).get();
}
catch (InterruptedException | ExecutionException e) {
if (e.getCause() instanceof GuacamoleException)
throw (GuacamoleException) e;
throw new GuacamoleServerException(String.format("Property "
+ "\"%s\" could not be retrieved from the vault.", name), e);
}
}
};
}
/**
* Return whether Windows domains should be split out from usernames when
* fetched from the vault.
*
* For example: "DOMAIN\\user" or "user@DOMAIN" should both
* be split into seperate username and domain tokens if this configuration
* is true. If false, no domain token should be created and the above values
* should be stored directly in the username token.
*
* @return
* true if windows domains should be split out from usernames, false
* otherwise.
*
* @throws GuacamoleException
* If the value specified within guacamole.properties cannot be
* parsed.
*/
public abstract boolean getSplitWindowsUsernames() throws GuacamoleException;
/**
* Return whether domains should be considered when matching user records
* that are fetched from the vault.
*
* If set to true, the username and domain must both match when matching
* records from the vault. If false, only the username will be considered.
*
* @return
* true if both the username and domain should be considered when
* matching user records from the vault.
*
* @throws GuacamoleException
* If the value specified within guacamole.properties cannot be
* parsed.
*/
public abstract boolean getMatchUserRecordsByDomain() throws GuacamoleException;
}

200
extensions/guacamole-vault/modules/guacamole-vault-base/src/main/java/org/apache/guacamole/vault/secret/CachedVaultSecretService.java Normal file
View File

@@ -0,0 +1,200 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.guacamole.vault.secret;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.Future;
import org.apache.guacamole.GuacamoleException;
import org.apache.guacamole.GuacamoleServerException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
* Caching implementation of VaultSecretService. Requests for the values of
* secrets will automatically be cached for a duration determined by the
* implementation. Subclasses must implement refreshCachedSecret() to provide
* a mechanism for CachedVaultSecretService to explicitly retrieve a value
* which is missing from the cache or has expired.
*/
public abstract class CachedVaultSecretService implements VaultSecretService {
/**
* Logger for this class.
*/
private static final Logger logger = LoggerFactory.getLogger(CachedVaultSecretService.class);
/**
* The cached value of a secret.
*/
protected class CachedSecret {
/**
* A Future which contains or will contain the value of the secret at
* the time it was last retrieved.
*/
private final Future<String> value;
/**
* The time the value should be considered out-of-date, in milliseconds
* since midnight of January 1, 1970 UTC.
*/
private final long expires;
/**
* Creates a new CachedSecret which represents a cached snapshot of the
* value of a secret. Each CachedSecret has a limited lifespan after
* which it should be considered out-of-date.
*
* @param value
* A Future which contains or will contain the current value of the
* secret. If no such secret exists, the given Future should
* complete with null.
*
* @param ttl
* The maximum number of milliseconds that this value should be
* cached.
*/
public CachedSecret(Future<String> value, int ttl) {
this.value = value;
this.expires = System.currentTimeMillis() + ttl;
}
/**
* Returns the value of the secret at the time it was last retrieved.
* The actual value of the secret may have changed.
*
* @return
* A Future which will eventually complete with the value of the
* secret at the time it was last retrieved. If no such secret
* exists, the Future will be completed with null. If an error
* occurs which prevents retrieval of the secret, that error will
* be exposed through an ExecutionException when an attempt is made
* to retrieve the value from the Future.
*/
public Future<String> getValue() {
return value;
}
/**
* Returns whether this specific cached value has expired. Expired
* values will be automatically refreshed by CachedVaultSecretService.
*
* @return
* true if this cached value has expired, false otherwise.
*/
public boolean isExpired() {
return System.currentTimeMillis() >= expires;
}
}
/**
* Cache of past requests to retrieve secrets. Expired secrets are lazily
* removed.
*/
private final ConcurrentHashMap<String, Future<CachedSecret>> cache = new ConcurrentHashMap<>();
/**
* Explicitly retrieves the value of the secret having the given name,
* returning a result that can be cached. The length of time that this
* specific value will be cached is determined by the TTL value provided to
* the returned CachedSecret. This function will be automatically invoked
* in response to calls to getValue() when the requested secret is either
* not cached or has expired. Expired secrets are not removed from the
* cache until another request is made for that secret.
*
* @param name
* The name of the secret to retrieve.
*
* @return
* A CachedSecret which defines the current value of the secret and the
* point in time that value should be considered potentially
* out-of-date.
*
* @throws GuacamoleException
* If an error occurs while retrieving the secret from the vault.
*/
protected abstract CachedSecret refreshCachedSecret(String name)
throws GuacamoleException;
@Override
public Future<String> getValue(String name) throws GuacamoleException {
CompletableFuture<CachedSecret> refreshEntry;
try {
// Attempt to use cached result of previous call
Future<CachedSecret> cachedEntry = cache.get(name);
if (cachedEntry != null) {
// Use cached result if not yet expired
CachedSecret secret = cachedEntry.get();
if (!secret.isExpired()) {
logger.debug("Using cached secret for \"{}\".", name);
return secret.getValue();
}
// Evict if expired
else {
logger.debug("Cached secret for \"{}\" is expired.", name);
cache.remove(name, cachedEntry);
}
}
// If no cached result, or result is too old, race with other
// threads to be the thread which refreshes the entry
refreshEntry = new CompletableFuture<>();
cachedEntry = cache.putIfAbsent(name, refreshEntry);
// If a refresh operation is already in progress, wait for that
// operation to complete and use its value
if (cachedEntry != null)
return cachedEntry.get().getValue();
}
catch (InterruptedException | ExecutionException e) {
throw new GuacamoleServerException("Attempt to retrieve secret "
+ "failed.", e);
}
// If we reach this far, the cache entry is stale or missing, and it's
// this thread's responsibility to refresh the entry
try {
CachedSecret secret = refreshCachedSecret(name);
refreshEntry.complete(secret);
logger.debug("Cached secret for \"{}\" will be refreshed.", name);
return secret.getValue();
}
// Abort the refresh operation if an error occurs
catch (Error | RuntimeException | GuacamoleException e) {
refreshEntry.completeExceptionally(e);
cache.remove(name, refreshEntry);
logger.debug("Cached secret for \"{}\" could not be refreshed.", name);
throw e;
}
}
}

144
extensions/guacamole-vault/modules/guacamole-vault-base/src/main/java/org/apache/guacamole/vault/secret/VaultSecretService.java Normal file
View File

@@ -0,0 +1,144 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.guacamole.vault.secret;
import java.util.Map;
import java.util.concurrent.Future;
import org.apache.guacamole.GuacamoleException;
import org.apache.guacamole.net.auth.Connectable;
import org.apache.guacamole.net.auth.UserContext;
import org.apache.guacamole.protocol.GuacamoleConfiguration;
import org.apache.guacamole.token.TokenFilter;
/**
* Generic service for retrieving the value of a secret stored in a vault.
*/
public interface VaultSecretService {
/**
* Translates an arbitrary string, which may contain characters not allowed
* by the vault implementation, into a string which is valid within a
* secret name. The type of transformation performed on the string, if any,
* will depend on the specific requirements of the vault provider.
*
* NOTE: It is critical that this transformation is deterministic and
* reasonably predictable for users. If an implementation must apply a
* transformation to secret names, that transformation needs to be
* documented.
*
* @param nameComponent
* An arbitrary string intended for use within a secret name, but which
* may contain characters not allowed by the vault implementation.
*
* @return
* A string containing essentially the same content as the provided
* string, but transformed deterministically such that it is acceptable
* as a component of a secret name by the vault provider.
*/
String canonicalize(String nameComponent);
/**
* Returns a Future which eventually completes with the value of the secret
* having the given name. If no such secret exists, the Future will be
* completed with null. The secrets retrieved from this method are independent
* of the context of the particular connection being established, or any
* associated user context.
*
* @param name
* The name of the secret to retrieve.
*
* @return
* A Future which completes with value of the secret having the given
* name. If no such secret exists, the Future will be completed with
* null. If an error occurs asynchronously which prevents retrieval of
* the secret, that error will be exposed through an ExecutionException
* when an attempt is made to retrieve the value from the Future.
*
* @throws GuacamoleException
* If the secret cannot be retrieved due to an error.
*/
Future<String> getValue(String name) throws GuacamoleException;
/**
* Returns a Future which eventually completes with the value of the secret
* having the given name. If no such secret exists, the Future will be
* completed with null. The connection or connection group, as well as the
* user context associated with the request are provided for additional context.
*
* @param userContext
* The user context associated with the connection or connection group for
* which the secret is being retrieved.
*
* @param connectable
* The connection or connection group for which the secret is being retrieved.
*
* @param name
* The name of the secret to retrieve.
*
* @return
* A Future which completes with value of the secret having the given
* name. If no such secret exists, the Future will be completed with
* null. If an error occurs asynchronously which prevents retrieval of
* the secret, that error will be exposed through an ExecutionException
* when an attempt is made to retrieve the value from the Future.
*
* @throws GuacamoleException
* If the secret cannot be retrieved due to an error.
*/
Future<String> getValue(UserContext userContext, Connectable connectable,
String name) throws GuacamoleException;
/**
* Returns a map of token names to corresponding Futures which eventually
* complete with the value of that token, where each token is dynamically
* defined based on connection parameters. If a vault implementation allows
* for predictable secrets based on the parameters of a connection, this
* function should be implemented to provide automatic tokens for those
* secrets and remove the need for manual mapping via YAML.
*
* @param userContext
* The user context from which the connectable originated.
*
* @param connectable
* The connection or connection group for which the tokens are being replaced.
*
* @param config
* The configuration of the Guacamole connection for which tokens are
* being generated. This configuration may be empty or partial,
* depending on the underlying implementation.
*
* @param filter
* A TokenFilter instance that applies any tokens already available to
* be applied to the configuration of the Guacamole connection. These
* tokens will consist of tokens already supplied to connect().
*
* @return
* A map of token names to their corresponding future values, where
* each token and value may be dynamically determined based on the
* connection configuration.
*
* @throws GuacamoleException
* If an error occurs producing the tokens and values required for the
* given configuration.
*/
Map<String, Future<String>> getTokens(UserContext userContext, Connectable connectable,
GuacamoleConfiguration config, TokenFilter filter) throws GuacamoleException;
}

157
extensions/guacamole-vault/modules/guacamole-vault-base/src/main/java/org/apache/guacamole/vault/secret/WindowsUsername.java Normal file
View File

@@ -0,0 +1,157 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.guacamole.vault.secret;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.annotation.Nonnull;
/**
* A class representing a Windows username, which may optionally also include
* a domain. This class can be used to parse the username and domain out of a
* username from a vault.
*/
public class WindowsUsername {
/**
* A pattern for matching a down-level logon name containing a Windows
* domain and username - e.g. domain\\user. For more information, see
* https://docs.microsoft.com/en-us/windows/win32/secauthn/user-name-formats#down-level-logon-name
*/
private static final Pattern DOWN_LEVEL_LOGON_NAME_PATTERN = Pattern.compile(
"(?<domain>[^@\\\\]+)\\\\(?<username>[^@\\\\]+)");
/**
* A pattern for matching a user principal name containing a Windows
* domain and username - e.g. user@domain. For more information, see
* https://docs.microsoft.com/en-us/windows/win32/secauthn/user-name-formats#user-principal-name
*/
private static final Pattern USER_PRINCIPAL_NAME_PATTERN = Pattern.compile(
"(?<username>[^@\\\\]+)@(?<domain>[^@\\\\]+)");
/**
* The username associated with the potential Windows domain/username
* value. If no domain is found, the username field will contain the
* entire value as read from the vault.
*/
private final String username;
/**
* The dinaun associated with the potential Windows domain/username
* value. If no domain is found, this will be null.
*/
private final String domain;
/**
* Create a WindowsUsername record with no associated domain.
*
* @param username
* The username, which should be the entire value as extracted
* from the vault.
*/
private WindowsUsername(@Nonnull String username) {
this.username = username;
this.domain = null;
}
/**
* Create a WindowsUsername record with a username and a domain.
*
* @param username
* The username portion of the field value from the vault.
*
* @param domain
* The domain portion of the field value from the vault.
*/
private WindowsUsername(
@Nonnull String username, @Nonnull String domain) {
this.username = username;
this.domain = domain;
}
/**
* Return the value of the username as extracted from the vault field.
* If the domain is null, this will be the entire field value.
*
* @return
* The username value as extracted from the vault field.
*/
public String getUsername() {
return username;
}
/**
* Return the value of the domain as extracted from the vault field.
* If this is null, it means that no domain was found in the vault field.
*
* @return
* The domain value as extracted from the vault field.
*/
public String getDomain() {
return domain;
}
/**
* Return true if a domain was found in the vault field, false otherwise.
*
* @return
* true if a domain was found in the vault field, false otherwise.
*/
public boolean hasDomain() {
return this.domain != null;
}
/**
* Strip off a Windows domain from the provided username, if one is
* present. For example: "DOMAIN\\user" or "user@DOMAIN" will both
* be stripped to just "user". Note: neither the '@' or '\\' characters
* are valid in Windows usernames.
*
* @param vaultField
* The raw field value as retrieved from the vault. This might contain
* a Windows domain.
*
* @return
* The provided username with the Windows domain stripped off, if one
* is present.
*/
public static WindowsUsername splitWindowsUsernameFromDomain(String vaultField) {
// If it's the down-level logon format, return the extracted username and domain
Matcher downLevelLogonMatcher = DOWN_LEVEL_LOGON_NAME_PATTERN.matcher(vaultField);
if (downLevelLogonMatcher.matches())
return new WindowsUsername(
downLevelLogonMatcher.group("username"),
downLevelLogonMatcher.group("domain"));
// If it's the user principal format, return the extracted username and domain
Matcher userPrincipalMatcher = USER_PRINCIPAL_NAME_PATTERN.matcher(vaultField);
if (userPrincipalMatcher.matches())
return new WindowsUsername(
userPrincipalMatcher.group("username"),
userPrincipalMatcher.group("domain"));
// If none of the expected formats matched, return the username with do domain
return new WindowsUsername(vaultField);
}
}

140
extensions/guacamole-vault/modules/guacamole-vault-base/src/main/java/org/apache/guacamole/vault/user/VaultDirectoryService.java Normal file
View File

@@ -0,0 +1,140 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.guacamole.vault.user;
import org.apache.guacamole.GuacamoleException;
import org.apache.guacamole.net.auth.ActiveConnection;
import org.apache.guacamole.net.auth.Connection;
import org.apache.guacamole.net.auth.ConnectionGroup;
import org.apache.guacamole.net.auth.Directory;
import org.apache.guacamole.net.auth.SharingProfile;
import org.apache.guacamole.net.auth.User;
import org.apache.guacamole.net.auth.UserGroup;
/**
* A service that allows a vault implementation to override the directory
* for any entity that a user context may return.
*/
public abstract class VaultDirectoryService {
/**
* Given an existing User Directory, return a new Directory for
* this vault implementation.
*
* @return
* A new User Directory based on the provided Directory.
*
* @throws GuacamoleException
* If an error occurs while creating the Directory.
*/
public Directory<User> getUserDirectory(
Directory<User> underlyingDirectory) throws GuacamoleException {
// By default, the provided directly will be returned unchanged
return underlyingDirectory;
}
/**
* Given an existing UserGroup Directory, return a new Directory for
* this vault implementation.
*
* @return
* A new UserGroup Directory based on the provided Directory.
*
* @throws GuacamoleException
* If an error occurs while creating the Directory.
*/
public Directory<UserGroup> getUserGroupDirectory(
Directory<UserGroup> underlyingDirectory) throws GuacamoleException {
// Unless overriden in the vault implementation, the underlying directory
// will be returned directly
return underlyingDirectory;
}
/**
* Given an existing Connection Directory, return a new Directory for
* this vault implementation.
*
* @return
* A new Connection Directory based on the provided Directory.
*
* @throws GuacamoleException
* If an error occurs while creating the Directory.
*/
public Directory<Connection> getConnectionDirectory(
Directory<Connection> underlyingDirectory) throws GuacamoleException {
// By default, the provided directly will be returned unchanged
return underlyingDirectory;
}
/**
* Given an existing ConnectionGroup Directory, return a new Directory for
* this vault implementation.
*
* @return
* A new ConnectionGroup Directory based on the provided Directory.
*
* @throws GuacamoleException
* If an error occurs while creating the Directory.
*/
public Directory<ConnectionGroup> getConnectionGroupDirectory(
Directory<ConnectionGroup> underlyingDirectory) throws GuacamoleException {
// By default, the provided directly will be returned unchanged
return underlyingDirectory;
}
/**
* Given an existing ActiveConnection Directory, return a new Directory for
* this vault implementation.
*
* @return
* A new ActiveConnection Directory based on the provided Directory.
*
* @throws GuacamoleException
* If an error occurs while creating the Directory.
*/
public Directory<ActiveConnection> getActiveConnectionDirectory(
Directory<ActiveConnection> underlyingDirectory) throws GuacamoleException {
// By default, the provided directly will be returned unchanged
return underlyingDirectory;
}
/**
* Given an existing SharingProfile Directory, return a new Directory for
* this vault implementation.
*
* @return
* A new SharingProfile Directory based on the provided Directory.
*
* @throws GuacamoleException
* If an error occurs while creating the Directory.
*/
public Directory<SharingProfile> getSharingProfileDirectory(
Directory<SharingProfile> underlyingDirectory) throws GuacamoleException {
// By default, the provided directly will be returned unchanged
return underlyingDirectory;
}
}

528
extensions/guacamole-vault/modules/guacamole-vault-base/src/main/java/org/apache/guacamole/vault/user/VaultUserContext.java Normal file
View File

@@ -0,0 +1,528 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.guacamole.vault.user;
import com.google.inject.Inject;
import com.google.inject.assistedinject.Assisted;
import com.google.inject.assistedinject.AssistedInject;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.Future;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.apache.guacamole.GuacamoleException;
import org.apache.guacamole.GuacamoleServerException;
import org.apache.guacamole.form.Form;
import org.apache.guacamole.net.auth.ActiveConnection;
import org.apache.guacamole.net.auth.Connectable;
import org.apache.guacamole.net.auth.Connection;
import org.apache.guacamole.net.auth.ConnectionGroup;
import org.apache.guacamole.net.auth.Directory;
import org.apache.guacamole.net.auth.SharingProfile;
import org.apache.guacamole.net.auth.TokenInjectingUserContext;
import org.apache.guacamole.net.auth.User;
import org.apache.guacamole.net.auth.UserContext;
import org.apache.guacamole.net.auth.UserGroup;
import org.apache.guacamole.protocol.GuacamoleConfiguration;
import org.apache.guacamole.token.GuacamoleTokenUndefinedException;
import org.apache.guacamole.token.TokenFilter;
import org.apache.guacamole.vault.conf.VaultAttributeService;
import org.apache.guacamole.vault.conf.VaultConfigurationService;
import org.apache.guacamole.vault.secret.VaultSecretService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
* UserContext implementation which automatically injects tokens containing the
* values of secrets retrieved from a vault.
*/
public class VaultUserContext extends TokenInjectingUserContext {
/**
* Logger for this class.
*/
private static final Logger logger = LoggerFactory.getLogger(VaultUserContext.class);
/**
* The name of the token which will be replaced with the username of the
* current user if specified within the name of a secret. Unlike the
* standard GUAC_USERNAME token, the username stored with the object
* representing the user is used here, not necessarily the username
* provided during authentication. This token applies to both connections
* and connection groups.
*/
private static final String USERNAME_TOKEN = "USERNAME";
/**
* The name of the token which will be replaced with the name of the
* current connection group if specified within the name of a secret. This
* token only applies only to connection groups.
*/
private static final String CONNECTION_GROUP_NAME_TOKEN = "CONNECTION_GROUP_NAME";
/**
* The name of the token which will be replaced with the identifier of the
* current connection group if specified within the name of a secret. This
* token only applies only to connection groups.
*/
private static final String CONNECTION_GROUP_IDENTIFIER_TOKEN = "CONNECTION_GROUP_ID";
/**
* The name of the token which will be replaced with the \"hostname\"
* connection parameter of the current connection if specified within the
* name of a secret. If the \"hostname\" parameter cannot be retrieved, or
* if the parameter is blank, the token will not be replaced and any
* secrets involving that token will not be retrieved. This token only
* applies only to connections.
*/
private static final String CONNECTION_HOSTNAME_TOKEN = "CONNECTION_HOSTNAME";
/**
* The name of the token which will be replaced with the \"username\"
* connection parameter of the current connection if specified within the
* name of a secret. If the \"username\" parameter cannot be retrieved, or
* if the parameter is blank, the token will not be replaced and any
* secrets involving that token will not be retrieved. This token only
* applies only to connections.
*/
private static final String CONNECTION_USERNAME_TOKEN = "CONNECTION_USERNAME";
/**
* The name of the token which will be replaced with the name of the
* current connection if specified within the name of a secret. This token
* only applies only to connections.
*/
private static final String CONNECTION_NAME_TOKEN = "CONNECTION_NAME";
/**
* The name of the token which will be replaced with the identifier of the
* current connection if specified within the name of a secret. This token
* only applies only to connections.
*/
private static final String CONNECTION_IDENTIFIER_TOKEN = "CONNECTION_ID";
/**
* Service for retrieving configuration information.
*/
@Inject
private VaultConfigurationService confService;
/**
* Service for retrieving the values of secrets stored in a vault.
*/
@Inject
private VaultSecretService secretService;
/**
* Service for retrieving any custom attributes defined for the
* current vault implementation.
*/
@Inject
private VaultAttributeService attributeService;
/**
* Service for modifying any underlying directories for the current
* vault implementation.
*/
@Inject
private VaultDirectoryService directoryService;
/**
* Creates a new VaultUserContext which automatically injects tokens
* containing values of secrets retrieved from a vault. The given
* UserContext is decorated such that connections and connection groups
* will receive additional tokens during the connection process.
*
* Note that this class depends on concrete implementations of the
* following classes to be provided via dependency injection:
*
* - VaultConfigurationService
* - VaultSecretService
*
* Bindings providing these concrete implementations will need to be
* provided by subclasses of VaultAuthenticationProviderModule for each
* supported vault.
*
* @param userContext
* The UserContext instance to decorate.
*/
@AssistedInject
public VaultUserContext(@Assisted UserContext userContext) {
super(userContext);
}
/**
* Creates a new TokenFilter instance with token values set for all tokens
* which are not specific to connections or connection groups. Currently,
* this is only the vault-specific username token ("USERNAME"). Each token
* stored within the returned TokenFilter via setToken() will be
* automatically canonicalized for use within secret names.
*
* @return
* A new TokenFilter instance with token values set for all tokens
* which are not specific to connections or connection groups.
*/
private TokenFilter createFilter() {
// Create filter that automatically canonicalizes all token values
TokenFilter filter = new TokenFilter() {
@Override
public void setToken(String name, String value) {
super.setToken(name, secretService.canonicalize(value));
}
@Override
public void setTokens(Map<String, String> tokens) {
tokens.entrySet().forEach((entry) -> setToken(entry.getKey(), entry.getValue()));
}
};
filter.setToken(USERNAME_TOKEN, self().getIdentifier());
return filter;
}
/**
* Initiates asynchronous retrieval of all applicable tokens and
* corresponding values from the vault, using the given TokenFilter to
* filter tokens within the secret names prior to retrieving those secrets.
*
* @param connectable
* The connection or connection group to which the connection is being
* established.
*
* @param tokenMapping
* The mapping dictating the name of the secret which maps to each
* parameter token, where the key is the name of the parameter token
* and the value is the name of the secret. The name of the secret
* may contain its own tokens, which will be substituted using values
* from the given filter.
*
* @param secretNameFilter
* The filter to use to substitute values for tokens in the names of
* secrets to be retrieved from the vault.
*
* @param config
* The GuacamoleConfiguration of the connection for which tokens are
* being retrieved, if available. This may be null.
*
* @param configFilter
* A TokenFilter instance that applies any tokens already available to
* be applied to the configuration of the Guacamole connection. These
* tokens will consist of tokens already supplied to connect().
*
* @return
* A Map of token name to Future, where each Future represents the
* pending retrieval operation which will ultimately be completed with
* the value of all secrets mapped to that token.
*
* @throws GuacamoleException
* If the value for any applicable secret cannot be retrieved from the
* vault due to an error.
*/
private Map<String, Future<String>> getTokens(
Connectable connectable, Map<String, String> tokenMapping,
TokenFilter secretNameFilter, GuacamoleConfiguration config,
TokenFilter configFilter) throws GuacamoleException {
// Populate map with pending secret retrieval operations corresponding
// to each mapped token
Map<String, Future<String>> pendingTokens = new HashMap<>(tokenMapping.size());
for (Map.Entry<String, String> entry : tokenMapping.entrySet()) {
// Translate secret pattern into secret name, ignoring any
// secrets which cannot be translated
String secretName;
try {
secretName = secretNameFilter.filterStrict(entry.getValue());
}
catch (GuacamoleTokenUndefinedException e) {
logger.debug("Secret for token \"{}\" will not be retrieved. "
+ "Token \"{}\" within mapped secret name has no "
+ "defined value in the current context.",
entry.getKey(), e.getTokenName());
continue;
}
// Initiate asynchronous retrieval of the token value
String tokenName = entry.getKey();
Future<String> secret = secretService.getValue(
this, connectable, secretName);
pendingTokens.put(tokenName, secret);
}
// Additionally include any dynamic, parameter-based tokens
pendingTokens.putAll(secretService.getTokens(
this, connectable, config, configFilter));
return pendingTokens;
}
/**
* Waits for all pending secret retrieval operations to complete,
* transforming each Future within the given Map into its contained String
* value.
*
* @param pendingTokens
* A Map of token name to Future, where each Future represents the
* pending retrieval operation which will ultimately be completed with
* the value of all secrets mapped to that token.
*
* @return
* A Map of token name to the corresponding String value retrieved for
* that token from the vault.
*
* @throws GuacamoleException
* If the value for any applicable secret cannot be retrieved from the
* vault due to an error.
*/
private Map<String, String> resolve(Map<String,
Future<String>> pendingTokens) throws GuacamoleException {
// Populate map with tokens containing the values of their
// corresponding secrets
Map<String, String> tokens = new HashMap<>(pendingTokens.size());
for (Map.Entry<String, Future<String>> entry : pendingTokens.entrySet()) {
// Complete secret retrieval operation, blocking if necessary
String secretValue;
try {
secretValue = entry.getValue().get();
}
catch (InterruptedException | ExecutionException e) {
throw new GuacamoleServerException("Retrieval of secret value "
+ "failed.", e);
}
// If a value is defined for the secret in question, store that
// value under the mapped token
String tokenName = entry.getKey();
if (secretValue != null) {
tokens.put(tokenName, secretValue);
logger.debug("Token \"{}\" populated with value from "
+ "secret.", tokenName);
}
else
logger.debug("Token \"{}\" not populated. Mapped "
+ "secret has no value.", tokenName);
}
return tokens;
}
@Override
protected void addTokens(ConnectionGroup connectionGroup,
Map<String, String> tokens) throws GuacamoleException {
String name = connectionGroup.getName();
String identifier = connectionGroup.getIdentifier();
logger.debug("Injecting tokens from vault for connection group "
+ "\"{}\" (\"{}\").", identifier, name);
// Add general and connection-group-specific tokens
TokenFilter filter = createFilter();
filter.setToken(CONNECTION_GROUP_NAME_TOKEN, name);
filter.setToken(CONNECTION_GROUP_IDENTIFIER_TOKEN, identifier);
// Substitute tokens producing secret names, retrieving and storing
// those secrets as parameter tokens
tokens.putAll(resolve(getTokens(
connectionGroup, confService.getTokenMapping(), filter,
null, new TokenFilter(tokens))));
}
/**
* Retrieves the GuacamoleConfiguration of the given Connection. If
* possible, privileged access to the configuration is obtained first. Note
* that the underlying extension is not required to allow privileged
* access, nor is it required to expose the underlying configuration at
* all.
*
* @param connection
* The connection to retrieve the configuration from.
*
* @return
* The GuacamoleConfiguration associated with the given connection,
* which may be partial or empty.
*
* @throws GuacamoleException
* If an error prevents privileged retrieval of the configuration.
*/
private GuacamoleConfiguration getConnectionConfiguration(Connection connection)
throws GuacamoleException {
String identifier = connection.getIdentifier();
// Obtain privileged access to parameters if possible (note that the
// UserContext returned by getPrivileged() is not guaranteed to
// actually be privileged)
Connection privilegedConnection = getPrivileged().getConnectionDirectory().get(identifier);
if (privilegedConnection != null)
return privilegedConnection.getConfiguration();
// Fall back to unprivileged access if not implemented/allowed by
// extension
return connection.getConfiguration();
}
@Override
protected void addTokens(Connection connection, Map<String, String> tokens)
throws GuacamoleException {
String name = connection.getName();
String identifier = connection.getIdentifier();
logger.debug("Injecting tokens from vault for connection \"{}\" "
+ "(\"{}\").", identifier, name);
// Add general and connection-specific tokens
TokenFilter filter = createFilter();
filter.setToken(CONNECTION_NAME_TOKEN, connection.getName());
filter.setToken(CONNECTION_IDENTIFIER_TOKEN, identifier);
// Add hostname and username tokens if available (implementations are
// not required to expose connection configuration details)
GuacamoleConfiguration config = getConnectionConfiguration(connection);
Map<String, String> parameters = config.getParameters();
String hostname = parameters.get("hostname");
if (hostname != null && !hostname.isEmpty())
filter.setToken(CONNECTION_HOSTNAME_TOKEN, hostname);
else
logger.debug("Hostname for connection \"{}\" (\"{}\") not "
+ "available. \"{}\" token will not be populated in "
+ "secret names.", identifier, name,
CONNECTION_HOSTNAME_TOKEN);
String username = parameters.get("username");
if (username != null && !username.isEmpty())
filter.setToken(CONNECTION_USERNAME_TOKEN, username);
else
logger.debug("Username for connection \"{}\" (\"{}\") not "
+ "available. \"{}\" token will not be populated in "
+ "secret names.", identifier, name,
CONNECTION_USERNAME_TOKEN);
// Substitute tokens producing secret names, retrieving and storing
// those secrets as parameter tokens
tokens.putAll(resolve(getTokens(connection, confService.getTokenMapping(),
filter, config, new TokenFilter(tokens))));
}
@Override
public Directory<User> getUserDirectory() throws GuacamoleException {
// Defer to the vault-specific directory service
return directoryService.getUserDirectory(super.getUserDirectory());
}
@Override
public Directory<UserGroup> getUserGroupDirectory() throws GuacamoleException {
// Defer to the vault-specific directory service
return directoryService.getUserGroupDirectory(super.getUserGroupDirectory());
}
@Override
public Directory<Connection> getConnectionDirectory() throws GuacamoleException {
// Defer to the vault-specific directory service
return directoryService.getConnectionDirectory(super.getConnectionDirectory());
}
@Override
public Directory<ConnectionGroup> getConnectionGroupDirectory() throws GuacamoleException {
// Defer to the vault-specific directory service
return directoryService.getConnectionGroupDirectory(super.getConnectionGroupDirectory());
}
@Override
public Directory<ActiveConnection> getActiveConnectionDirectory() throws GuacamoleException {
// Defer to the vault-specific directory service
return directoryService.getActiveConnectionDirectory(super.getActiveConnectionDirectory());
}
@Override
public Directory<SharingProfile> getSharingProfileDirectory() throws GuacamoleException {
// Defer to the vault-specific directory service
return directoryService.getSharingProfileDirectory(super.getSharingProfileDirectory());
}
@Override
public Collection<Form> getUserAttributes() {
// Add any custom attributes to any previously defined attributes
return Collections.unmodifiableCollection(Stream.concat(
super.getUserAttributes().stream(),
attributeService.getUserAttributes().stream()
).collect(Collectors.toList()));
}
@Override
public Collection<Form> getUserPreferenceAttributes() {
// Add any custom preference attributes to any previously defined attributes
return Collections.unmodifiableCollection(Stream.concat(
super.getUserPreferenceAttributes().stream(),
attributeService.getUserPreferenceAttributes().stream()
).collect(Collectors.toList()));
}
@Override
public Collection<Form> getConnectionAttributes() {
// Add any custom attributes to any previously defined attributes
return Collections.unmodifiableCollection(Stream.concat(
super.getConnectionAttributes().stream(),
attributeService.getConnectionAttributes().stream()
).collect(Collectors.toList()));
}
@Override
public Collection<Form> getConnectionGroupAttributes() {
// Add any custom attributes to any previously defined attributes
return Collections.unmodifiableCollection(Stream.concat(
super.getConnectionGroupAttributes().stream(),
attributeService.getConnectionGroupAttributes().stream()
).collect(Collectors.toList()));
}
}

46
extensions/guacamole-vault/modules/guacamole-vault-base/src/main/java/org/apache/guacamole/vault/user/VaultUserContextFactory.java Normal file
View File

@@ -0,0 +1,46 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.guacamole.vault.user;
import org.apache.guacamole.net.auth.UserContext;
/**
* Factory for creating UserContext instances which automatically inject tokens
* containing the values of secrets retrieved from a vault.
*/
public interface VaultUserContextFactory {
/**
* Returns a new instance of a UserContext implementation which
* automatically injects tokens containing values of secrets retrieved from
* a vault. The given UserContext is decorated such that connections and
* connection groups will receive additional tokens during the connection
* process.
*
* @param userContext
* The UserContext instance to decorate.
*
* @return
* A new UserContext instance which automatically injects tokens
* containing values of secrets retrieved from a vault.
*/
UserContext create(UserContext userContext);
}

7
extensions/guacamole-vault/modules/guacamole-vault-base/src/main/resources/translations/en.json Normal file
View File

@@ -0,0 +1,7 @@
{
"DATA_SOURCE_AZURE_KEYVAULT" : {
"NAME" : "Azure Key Vault"
}
}

82
extensions/guacamole-vault/modules/guacamole-vault-base/src/test/java/org/apache/guacamole/vault/secret/WindowsUsernameTest.java Normal file
View File

@@ -0,0 +1,82 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.guacamole.vault.secret;
import org.junit.Test;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;
import java.util.Arrays;
import java.util.List;
/**
* Class to test the parsing functionality of the WindowsUsername class.
*/
public class WindowsUsernameTest {
/**
* Verify that the splitWindowsUsernameFromDomain() method correctly strips Windows
* domains from provided usernames that include them, and does not modify
* usernames that do not have Windows domains.
*/
@Test
public void testSplitWindowsUsernameFromDomain() {
WindowsUsername usernameAndDomain;
// If no Windows domain is present in the provided field, the username should
// contain the entire field, and no domain should be returned
usernameAndDomain = WindowsUsername.splitWindowsUsernameFromDomain("bob");
assertEquals(usernameAndDomain.getUsername(), "bob");
assertFalse(usernameAndDomain.hasDomain());
// It should parse down-level logon name style domains
usernameAndDomain = WindowsUsername.splitWindowsUsernameFromDomain("localhost\\bob");
assertEquals("bob", usernameAndDomain.getUsername(), "bob");
assertTrue(usernameAndDomain.hasDomain());
assertEquals("localhost", usernameAndDomain.getDomain());
// It should parse user principal name style domains
usernameAndDomain = WindowsUsername.splitWindowsUsernameFromDomain("bob@localhost");
assertEquals("bob", usernameAndDomain.getUsername(), "bob");
assertTrue(usernameAndDomain.hasDomain());
assertEquals("localhost", usernameAndDomain.getDomain());
// It should not match if there are an invalid number of separators
List<String> invalidSeparators = Arrays.asList(
"bob@local@host", "local\\host\\bob",
"bob\\local@host", "local@host\\bob");
invalidSeparators.stream().forEach(
invalidSeparator -> {
// An invalid number of separators means that the parse failed -
// there should be no detected domain, and the entire field value
// should be returned as the username
WindowsUsername parseOutput =
WindowsUsername.splitWindowsUsernameFromDomain(invalidSeparator);
assertFalse(parseOutput.hasDomain());
assertEquals(invalidSeparator, parseOutput.getUsername());
});
}
}