-
Notifications
You must be signed in to change notification settings - Fork 722
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GUACAMOLE-1020: Implement extension to enable additional restrictions #830
GUACAMOLE-1020: Implement extension to enable additional restrictions #830
Conversation
2f93e27
to
d76cd50
Compare
extensions/guacamole-auth-restrict/src/main/resources/types/timeRestrictionEntry.js
Outdated
Show resolved
Hide resolved
...ons/guacamole-auth-restrict/src/main/resources/controllers/timeRestrictionFieldController.js
Outdated
Show resolved
Hide resolved
...ons/guacamole-auth-restrict/src/main/resources/controllers/timeRestrictionFieldController.js
Outdated
Show resolved
Hide resolved
...ons/guacamole-auth-restrict/src/main/resources/controllers/hostRestrictionFieldController.js
Outdated
Show resolved
Hide resolved
...ons/guacamole-auth-restrict/src/main/resources/controllers/hostRestrictionFieldController.js
Outdated
Show resolved
Hide resolved
...acamole-auth-restrict/src/main/java/org/apache/guacamole/calendar/TimeRestrictionParser.java
Show resolved
Hide resolved
...acamole-auth-restrict/src/main/java/org/apache/guacamole/calendar/TimeRestrictionParser.java
Outdated
Show resolved
Hide resolved
...ons/guacamole-auth-restrict/src/main/resources/controllers/timeRestrictionFieldController.js
Outdated
Show resolved
Hide resolved
...ons/guacamole-auth-restrict/src/main/resources/controllers/timeRestrictionFieldController.js
Outdated
Show resolved
Hide resolved
extensions/guacamole-auth-restrict/src/main/resources/restrictModule.js
Outdated
Show resolved
Hide resolved
f5ea89b
to
c3cc3cc
Compare
...main/java/org/apache/guacamole/auth/restrict/TranslatableInvalidHostConnectionException.java
Outdated
Show resolved
Hide resolved
...estrict/src/main/java/org/apache/guacamole/auth/restrict/RestrictionVerificationService.java
Outdated
Show resolved
Hide resolved
...estrict/src/main/java/org/apache/guacamole/auth/restrict/RestrictionVerificationService.java
Outdated
Show resolved
Hide resolved
...s/guacamole-auth-restrict/src/main/java/org/apache/guacamole/host/HostRestrictionParser.java
Outdated
Show resolved
Hide resolved
...estrict/src/main/java/org/apache/guacamole/auth/restrict/RestrictionVerificationService.java
Outdated
Show resolved
Hide resolved
Had you considered allowing either the weekday or time parts of the restrictions to be left out, rather than requiring both? It looks like most of the code would already be pretty close to supporting that. I think it could be pretty handy - for example: An admin might prefer to add rule a that a user can access a connection from 9:00 to 17:00 every day, and also add a couple of rules that the user cannot access the connection on Saturday or Sunday. As opposed to right now it looks like they'd have to add 5 rules, one for each day of the week, and if they wanted to change the hours, they'd have to change all 5 of the rules. If this is hard to implement, I'm fine with leaving it as a future enhancement, |
...rc/main/java/org/apache/guacamole/auth/restrict/connectiongroup/RestrictConnectionGroup.java
Outdated
Show resolved
Hide resolved
...rc/main/java/org/apache/guacamole/auth/restrict/connectiongroup/RestrictConnectionGroup.java
Outdated
Show resolved
Hide resolved
.../src/main/java/org/apache/guacamole/auth/restrict/TranslatableInvalidHostLoginException.java
Show resolved
Hide resolved
d14b316
to
0b16370
Compare
I had thought about it, but not quite so thorougly.
This should be pretty easy to do - I could add a RegEx/parsing rule that looks for an
Yep, that could be quite cumbersome.
Nah, I'll take a run at it, I think it should be pretty easy. Thanks for the suggestion! |
0b16370
to
5d1d4a3
Compare
@jmuehlner I've taken a run at implementing what I think you were getting at with the multi-day options. I also tweaked it so that 1) date is always stored in UTC in the database, and 2) the front-end form sticks with the user's timezone for the field itself, then translates to UTC when storing in the backend. |
796f556
to
e11cf80
Compare
...ns/guacamole-auth-restrict/src/main/java/org/apache/guacamole/calendar/DailyRestriction.java
Outdated
Show resolved
Hide resolved
...ons/guacamole-auth-restrict/src/main/java/org/apache/guacamole/calendar/RestrictionType.java
Outdated
Show resolved
Hide resolved
...ons/guacamole-auth-restrict/src/main/resources/controllers/timeRestrictionFieldController.js
Outdated
Show resolved
Hide resolved
ea84c94
to
0158509
Compare
LGTM, but it looks like there's an outstanding change request by @mike-jumper |
I'm not seeing any unresolved issues, but I'll scroll through it again and make sure, and wait for Mike's approval. |
Ah, looks like it was just the comment:
|
Heh - nice. :) I'll read through things now. |
@mike-jumper any objections if I merge this? Did you stil have more you wanted to read through? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Going to double-check the restriction logic, but everything else looks good.
...mole-auth-restrict/src/main/java/org/apache/guacamole/auth/restrict/user/RestrictedUser.java
Outdated
Show resolved
Hide resolved
…t name changes to classes.
0158509
to
dffc5f2
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One minor change needed to ensure we don't issue too many queries. Otherwise, LGTM!
...th-restrict/src/main/java/org/apache/guacamole/auth/restrict/user/RestrictedUserContext.java
Outdated
Show resolved
Hide resolved
dffc5f2
to
8d6790f
Compare
8d6790f
to
95cd386
Compare
// Check and see if the logged in user has admin privileges - | ||
// either system-level or for that particular object. | ||
boolean hasAdmin = isAdmin || adminIdentifiers.contains(object.getIdentifier()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice. I like this.
I've taken a run at implementing a decorating extension that allows users, groups, connections, and connection groups, to be restricted beyond the defaults provided by the base Guacamole implementation:
Restrict the times at which users can log in based on a "Day of the Week" schedule. This is implemented using both an "Allow at certain times" field, which, if present, will restrict the user to logins only during those times, and a "Deny at certain times" field, which, if present, will block the user from logging in during the specified times. This is implemented at both the individual user level, as well as a setting that can be applied to a group and will impact all the members of that group.
Restrict the hosts from which users can log in, based on hostname, IP address, or CIDR notation. I've attempted to implement both IPv4 and IPv6 restrictions. Hostnames will be reverse-queried to resolve to IPs, and then they are checked against the user's login IP, if it's available.
Restrict the times at which connections and/or connection groups (of the Balancing variety) can be accessed, in the same "Day of the Week" schedule.
Restrict the hosts from which connections and/or connection groups (of the Balancing variety) can be accessed, using hostname, IP address, and/or CIDR range.