mike-jumper commented on code in PR #753:
URL: https://github.com/apache/guacamole-client/pull/753#discussion_r947463416
##########
extensions/guacamole-vault/modules/guacamole-vault-ksm/src/main/java/org/apache/guacamole/vault/ksm/secret/KsmSecretService.java:
##########
@@ -338,12 +332,57 @@ public Map<String, Future<String>> getTokens(UserContext
userContext, Connectabl
addRecordTokens(tokens, "KEEPER_GATEWAY_",
ksm.getRecordByHost(filter.filter(gatewayHostname)));
+ // Retrieve and define domain tokens, if any
+ String domain = parameters.get("domain");
+ String filteredDomain = null;
+ if (domain != null && !domain.isEmpty()) {
+ filteredDomain = filter.filter(domain);
+ addRecordTokens(tokens, "KEEPER_DOMAIN_",
+ ksm.getRecordByDomain(filteredDomain));
+ }
+
+ // Retrieve and define gateway domain tokens, if any
+ String gatewayDomain = parameters.get("gateway-domain");
+ String filteredGatewayDomain = null;
+ if (gatewayDomain != null && !gatewayDomain.isEmpty()) {
+ filteredGatewayDomain = filter.filter(gatewayDomain);
+ addRecordTokens(tokens, "KEEPER_GATEWAY_DOMAIN_",
+ ksm.getRecordByDomain(filteredGatewayDomain));
+ }
+
+ // If domain matching is disabled for user records,
+ // explicitly set the domains to null when storing
+ // user records to enable username-only matching
+ if (!confService.getMatchUserRecordsByDomain()) {
+ filteredDomain = null;
+ filteredGatewayDomain = null;
+ }
+
+ // Retrieve and define user-specific tokens, if any
+ String username = parameters.get("username");
+ if (username != null && !username.isEmpty())
+ addRecordTokens(tokens, "KEEPER_USER_",
+ ksm.getRecordByLogin(filter.filter(username),
+ filteredDomain));
+
// Retrieve and define gateway user-specific tokens, if any
String gatewayUsername = parameters.get("gateway-username");
if (gatewayUsername != null && !gatewayUsername.isEmpty())
addRecordTokens(tokens, "KEEPER_GATEWAY_USER_",
- ksm.getRecordByLogin(filter.filter(gatewayUsername)));
-
+ ksm.getRecordByLogin(
+ filter.filter(gatewayUsername),
+ filteredGatewayDomain));
+
+ } else {
Review Comment:
Please don't cuddle the else: https://guacamole.apache.org/guac-style/#braces
##########
extensions/guacamole-vault/modules/guacamole-vault-ksm/src/main/java/org/apache/guacamole/vault/ksm/secret/UserDomain.java:
##########
@@ -0,0 +1,129 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.vault.ksm.secret;
+
+import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
+
+/**
+ * A class intended for use as a key in KSM user record client cache. This
+ * class contains both a username and a password. When identifying a KSM
+ * record using token syntax like "KEEPER_USER_*", the user record will
+ * actually be identified by both the user and domain, if the appropriate
+ * settings are enabled.
+ */
+class UserDomain {
+
+ /**
+ * The username associated with the user record.
+ * This field should never be null.
+ */
+ private final String username;
+
+ /**
+ * The domain associated with the user record.
+ * This field can be null.
+ */
+ private final String domain;
+
+ /**
+ * Create a new UserDomain instance with the provided username and
+ * domain. The domain may be null, but the username should never be.
+ *
+ * @param username
+ * The username to create the UserDomain instance with. This should
+ * never be null.
+ *
+ * @param domain
+ * The domain to create the UserDomain instance with. This can be null.
+ */
+ UserDomain(@Nonnull String username, @Nullable String domain) {
+ this.username = username;
+ this.domain = domain;
+ }
+
+ @Override
+ public int hashCode() {
+
+ final int prime = 31;
+
+ int result = 1;
+ result = prime * result + ((domain == null) ? 0 : domain.hashCode());
+ result = prime * result + ((username == null) ? 0 :
username.hashCode());
+
+ return result;
+
+ }
+
+ @Override
+ public boolean equals(Object obj) {
+
+ // Check if the other object is this exact object
+ if (this == obj)
+ return true;
+
+ // Check if the other object is null
+ if (obj == null)
+ return false;
+
+ // Check if the other object is also a UserDomain
+ if (getClass() != obj.getClass())
+ return false;
+
+ // If it is a UserDomain, it must have the same username...
+ UserDomain other = (UserDomain) obj;
+ if (username == null) {
+ if (other.username != null)
+ return false;
+ } else if (!username.equals(other.username))
+ return false;
+
+ // .. and the same domain
+ if (domain == null) {
+ if (other.domain != null)
+ return false;
+ } else if (!domain.equals(other.domain))
+ return false;
+
+ return true;
Review Comment:
I _think_ Java no longer requires quite this level of comparison boilerplate:
https://docs.oracle.com/javase/8/docs/api/java/util/Objects.html#equals-java.lang.Object-java.lang.Object-
Once we know both sides are a `UserDomain`, I think this can be simplified
to something like:
```java
return Objects.equals(username, other.username) && Objects.equals(domain,
other.domain);
```
##########
extensions/guacamole-vault/modules/guacamole-vault-ksm/src/main/java/org/apache/guacamole/vault/ksm/secret/KsmClient.java:
##########
@@ -399,32 +497,75 @@ public KeeperRecord getRecordByHost(String hostname)
throws GuacamoleException {
}
/**
- * Returns the record associated with the given username. If no such record
- * exists, or there are multiple such records, null is returned.
+ * Returns the record associated with the given username and domain. If no
+ * such record exists, or there are multiple such records, null is
returned.
*
* @param username
* The username of the record to return.
*
+ * @param domain
+ * The domain of the record to return.
Review Comment:
The meaning of null for this parameter should be documented.
##########
extensions/guacamole-vault/modules/guacamole-vault-ksm/src/main/java/org/apache/guacamole/vault/ksm/secret/UserDomain.java:
##########
@@ -0,0 +1,129 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.vault.ksm.secret;
+
+import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
+
+/**
+ * A class intended for use as a key in KSM user record client cache. This
+ * class contains both a username and a password. When identifying a KSM
+ * record using token syntax like "KEEPER_USER_*", the user record will
+ * actually be identified by both the user and domain, if the appropriate
+ * settings are enabled.
+ */
+class UserDomain {
Review Comment:
Reading this class name, I initially thought this represented the domain of
a user. Initially, I thought "perhaps this should be `DomainUser`, in line with
AD terminology), but these are not necessarily always AD users...
Perhaps `UserLogin` would make more sense?
##########
extensions/guacamole-vault/modules/guacamole-vault-ksm/src/main/java/org/apache/guacamole/vault/ksm/secret/KsmClient.java:
##########
@@ -236,12 +270,20 @@ private void validateCache() throws GuacamoleException {
cachedRecordsByHost.clear();
// Clear cache of login-based records
- cachedAmbiguousUsernames.clear();
- cachedRecordsByUsername.clear();
+ cachedAmbiguousUsers.clear();
+ cachedRecordsByUser.clear();
- // Store all records, sorting each into host-based and login-based
- // buckets
- records.forEach(record -> {
+ // Clear cache of domain-based records
+ cachedAmbiguousDomains.clear();
+ cachedRecordsByDomain.clear();
+
+ // Store all records, sorting each into host-based, login-based,
+ // and domain-based buckets
+ Iterator<KeeperRecord> recordIterator = records.iterator();
+ while(recordIterator.hasNext()) {
+
+ // Go through records one at a time
+ KeeperRecord record = recordIterator.next();
Review Comment:
Why did this switch from `forEach()` to an interator? Is there an advantage
to the latter?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
