Skip to content

Commit

Permalink
GUACAMOLE-1020: Make sure only admin users can modify restrictions.
Browse files Browse the repository at this point in the history
  • Loading branch information
necouchman committed Oct 2, 2024
1 parent 1e04d6d commit 95cd386
Show file tree
Hide file tree
Showing 2 changed files with 38 additions and 6 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,12 @@ public class RestrictedUser extends DelegatingUser implements Restrictable {
*/
private final String remoteAddress;

/**
* true if the user logged in to Guacamole has administrative privileges
* for this user object, otherwise false.
*/
private final boolean hasAdmin;

/**
* The name of the attribute that contains a list of weekdays and times (UTC)
* that a user is allowed to log in. The presence of this attribute will
Expand Down Expand Up @@ -116,9 +122,10 @@ public class RestrictedUser extends DelegatingUser implements Restrictable {
* The remote address of the client from which the current user is logged
* in.
*/
public RestrictedUser(User user, String remoteAddress) {
public RestrictedUser(User user, String remoteAddress, boolean hasAdmin) {
super(user);
this.remoteAddress = remoteAddress;
this.hasAdmin = hasAdmin;
}

/**
Expand All @@ -133,7 +140,7 @@ public User getUndecorated() {

@Override
public Map<String, String> getAttributes() {

// Create independent, mutable copy of attributes
Map<String, String> attributes = new HashMap<>(super.getAttributes());

Expand All @@ -154,10 +161,18 @@ public void setAttributes(Map<String, String> attributes) {

// Create independent, mutable copy of attributes
attributes = new HashMap<>(attributes);

// Loop through extension-specific attributes, only sending ones
// that are non-null and non-empty to the underlying storage mechanism.
for (String attribute : RESTRICT_USER_ATTRIBUTES) {

/* If the user lacks admin access, don't set restriction attributes. */
if (!hasAdmin) {
attributes.remove(attribute);
continue;
}

/* Replace empty values with null values. */
String value = attributes.get(attribute);
if (value != null && value.isEmpty())
attributes.put(attribute, null);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -34,9 +34,12 @@
import org.apache.guacamole.net.auth.DecoratingDirectory;
import org.apache.guacamole.net.auth.DelegatingUserContext;
import org.apache.guacamole.net.auth.Directory;
import org.apache.guacamole.net.auth.Permissions;
import org.apache.guacamole.net.auth.User;
import org.apache.guacamole.net.auth.UserContext;
import org.apache.guacamole.net.auth.UserGroup;
import org.apache.guacamole.net.auth.permission.ObjectPermission;
import org.apache.guacamole.net.auth.permission.SystemPermission;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

Expand All @@ -60,7 +63,7 @@ public class RestrictedUserContext extends DelegatingUserContext {
* The identifiers effective groups of the user associated with this context.
*/
private final Set<String> effectiveUserGroups;

/**
* Creates a new RestrictedUserContext which wraps the given UserContext,
* providing additional control for user logins and connections.
Expand Down Expand Up @@ -133,11 +136,25 @@ public Collection<Form> getConnectionGroupAttributes() {

@Override
public Directory<User> getUserDirectory() throws GuacamoleException {

// Pull permissions of the current logged-in user.
Permissions currentPermissions = self().getEffectivePermissions();
boolean isAdmin = currentPermissions.getSystemPermissions().hasPermission(
SystemPermission.Type.ADMINISTER
);
Collection<String> adminIdentifiers =
currentPermissions.getUserPermissions().getAccessibleObjects(
Collections.singletonList(ObjectPermission.Type.ADMINISTER), super.getUserDirectory().getIdentifiers());

return new DecoratingDirectory<User>(super.getUserDirectory()) {

@Override
protected User decorate(User object) {
return new RestrictedUser(object, remoteAddress);
protected User decorate(User object) throws GuacamoleException {

// Check and see if the logged in user has admin privileges -
// either system-level or for that particular object.
boolean hasAdmin = isAdmin || adminIdentifiers.contains(object.getIdentifier());
return new RestrictedUser(object, remoteAddress, hasAdmin);
}

@Override
Expand Down

0 comments on commit 95cd386

Please sign in to comment.