GitHub user mike-jumper opened a pull request:
https://github.com/apache/guacamole-client/pull/336
GUACAMOLE-641: Add support for populating arbitrary parameter tokens from
key vaults.
These changes add a new family of extensions, similar to
"guacamole-auth-jdbc", which provide support for retrieval of secrets from key
vaults: "guacamole-auth-vault". Initial support for Azure Key Vault is present
through the "guacamole-auth-vault-azure" module, with the necessary structure
in place to allow other implementations to be provided in the future.
The general support works as follows:
1. A JSON file is included within `GUACAMOLE_HOME` which defines a
token/secret mapping. Besides defining tokens, the names of each secret may
also contain tokens which allow the secret name to vary by connection ID,
hostname, username, etc. There is a specific set of tokens available for use
within secret names.
2. When a user attempts to connect to a connection or connection group, the
key vault implementation is queried to retrieve each defined secret. Tokens are
then defined for only those secrets whose names are fully defined within the
current context and which have values stored within the vault.
3. The extension defining the connection is given these tokens. If the
extension supports substitution of parameter tokens, as all current extensions
do, those tokens will be substituted within the configuration of the
connection. Guacamole extensions are not required to do this, however.
4. To avoid excessive retrieval requests, the result of retrieving a
particular secret is cached (by default for 10 seconds).
This thus allows secret values like passwords and private keys to be stored
off-site within the vault and retrieved dynamically based on context.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/mike-jumper/guacamole-client key-vault
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/guacamole-client/pull/336.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #336
----
commit a1d6eeac5f4fce22291a6b9f2c826915441b1329
Author: Michael Jumper <mjumper@...>
Date: 2018-10-07T05:32:26Z
GUACAMOLE-641: Allow token retrieval/generation to fail with an error.
commit fa7878fc22f5c4f012b38e517e37dbfc9a2f31ee
Author: Michael Jumper <mjumper@...>
Date: 2018-10-07T05:36:30Z
GUACAMOLE-641: Provide strict filtering mode for TokenFilter which
disallows undefined tokens.
commit 34d14262c092878ccdf8bec1e73ab6292f7ba72a
Author: Michael Jumper <mjumper@...>
Date: 2018-10-07T20:28:12Z
GUACAMOLE-641: Add generic vault support with an initial Azure Key Vault
implementation.
commit 0bd1343d016adee73834c31791162feba4c65400
Author: Michael Jumper <mjumper@...>
Date: 2018-10-08T01:21:20Z
GUACAMOLE-641: Automatically cache requests for secrets from the vault.
commit 35ee93de8a8ef58241e7e3c6bb145447857d6d19
Author: Michael Jumper <mjumper@...>
Date: 2018-10-16T17:29:05Z
GUACAMOLE-641: Retrieve secrets from Azure Key Vault.
commit 0f3ac8161915a07d1476f2b09f998ac040c5488c
Author: Michael Jumper <mjumper@...>
Date: 2018-10-16T21:16:14Z
GUACAMOLE-641: Allow tokens to be easily injected on-demand.
commit 4d90b34732d81efd1fbdeab8df9d9edb939f6266
Author: Michael Jumper <mjumper@...>
Date: 2018-10-16T21:51:24Z
GUACAMOLE-641: Retrieve tokens asynchronously and in parallel.
----
---
