jmuehlner commented on code in PR #751:
URL: https://github.com/apache/guacamole-client/pull/751#discussion_r957877696
##########
extensions/guacamole-vault/modules/guacamole-vault-ksm/src/main/java/org/apache/guacamole/vault/ksm/secret/KsmSecretService.java:
##########
@@ -314,77 +401,85 @@ public Map<String, Future<String>> getTokens(UserContext
userContext, Connectabl
// Attempt to find a KSM config for this connection or group
String ksmConfig = getConnectionGroupKsmConfig(userContext,
connectable);
- // Get a client instance for this KSM config
- KsmClient ksm = getClient(ksmConfig);
-
- // Retrieve and define server-specific tokens, if any
- String hostname = parameters.get("hostname");
- if (hostname != null && !hostname.isEmpty())
- addRecordTokens(tokens, "KEEPER_SERVER_",
- ksm.getRecordByHost(filter.filter(hostname)));
-
- // Tokens specific to RDP
- if ("rdp".equals(config.getProtocol())) {
-
- // Retrieve and define gateway server-specific tokens, if any
- String gatewayHostname = parameters.get("gateway-hostname");
- if (gatewayHostname != null && !gatewayHostname.isEmpty())
- addRecordTokens(tokens, "KEEPER_GATEWAY_",
- ksm.getRecordByHost(filter.filter(gatewayHostname)));
-
- // Retrieve and define domain tokens, if any
- String domain = parameters.get("domain");
- String filteredDomain = null;
- if (domain != null && !domain.isEmpty()) {
- filteredDomain = filter.filter(domain);
- addRecordTokens(tokens, "KEEPER_DOMAIN_",
- ksm.getRecordByDomain(filteredDomain));
+ // Create a list containing just the global / connection group config
+ List<KsmClient> ksmClients = new ArrayList<>(2);
+ ksmClients.add(getClient(ksmConfig));
+
+ // Only use the user-specific KSM config if explicitly enabled in the
global
+ // configuration, AND for the specific connectable being connected to
+ String userKsmConfig = getUserKSMConfig(userContext, connectable);
+ if (userKsmConfig != null && !userKsmConfig.trim().isEmpty())
+ ksmClients.add(0, getClient(userKsmConfig));
+
+ // Iterate through the KSM clients, processing using the user-specific
+ // config first (if it exists), to ensure that any admin-defined values
+ // will override the user-speicifc values
+ Iterator<KsmClient> ksmIterator = ksmClients.iterator();
+ while (ksmIterator.hasNext()) {
+
+ KsmClient ksm = ksmIterator.next();
+
+ // Retrieve and define server-specific tokens, if any
+ String hostname = parameters.get("hostname");
+ if (hostname != null && !hostname.isEmpty())
+ addRecordTokens(tokens, "KEEPER_SERVER_",
+ ksm.getRecordByHost(filter.filter(hostname)));
+
+ // Tokens specific to RDP
+ if ("rdp".equals(config.getProtocol())) {
+ // Retrieve and define domain tokens, if any
+ String domain = parameters.get("domain");
+ String filteredDomain = null;
+ if (domain != null && !domain.isEmpty()) {
+ filteredDomain = filter.filter(domain);
+ addRecordTokens(tokens, "KEEPER_DOMAIN_",
+ ksm.getRecordByDomain(filteredDomain));
+ }
+
+ // Retrieve and define gateway domain tokens, if any
+ String gatewayDomain = parameters.get("gateway-domain");
+ String filteredGatewayDomain = null;
+ if (gatewayDomain != null && !gatewayDomain.isEmpty()) {
+ filteredGatewayDomain = filter.filter(gatewayDomain);
+ addRecordTokens(tokens, "KEEPER_GATEWAY_DOMAIN_",
+ ksm.getRecordByDomain(filteredGatewayDomain));
+ }
+
+ // If domain matching is disabled for user records,
+ // explicitly set the domains to null when storing
+ // user records to enable username-only matching
+ if (!confService.getMatchUserRecordsByDomain()) {
+ filteredDomain = null;
+ filteredGatewayDomain = null;
+ }
+
+ // Retrieve and define user-specific tokens, if any
+ String username = parameters.get("username");
+ if (username != null && !username.isEmpty())
+ addRecordTokens(tokens, "KEEPER_USER_",
+ ksm.getRecordByLogin(filter.filter(username),
+ filteredDomain));
+
+ // Retrieve and define gateway user-specific tokens, if any
+ String gatewayUsername = parameters.get("gateway-username");
+ if (gatewayUsername != null && !gatewayUsername.isEmpty())
+ addRecordTokens(tokens, "KEEPER_GATEWAY_USER_",
+ ksm.getRecordByLogin(
+ filter.filter(gatewayUsername),
+ filteredGatewayDomain));
}
- // Retrieve and define gateway domain tokens, if any
- String gatewayDomain = parameters.get("gateway-domain");
- String filteredGatewayDomain = null;
- if (gatewayDomain != null && !gatewayDomain.isEmpty()) {
- filteredGatewayDomain = filter.filter(gatewayDomain);
- addRecordTokens(tokens, "KEEPER_GATEWAY_DOMAIN_",
- ksm.getRecordByDomain(filteredGatewayDomain));
- }
+ else {
- // If domain matching is disabled for user records,
- // explicitly set the domains to null when storing
- // user records to enable username-only matching
- if (!confService.getMatchUserRecordsByDomain()) {
- filteredDomain = null;
- filteredGatewayDomain = null;
+ // Retrieve and define user-specific tokens, if any
+ // NOTE that non-RDP connections do not have a domain
+ // field in the connection parameters, so the domain
+ // will always be null
+ String username = parameters.get("username");
+ if (username != null && !username.isEmpty())
+ addRecordTokens(tokens, "KEEPER_USER_",
+ ksm.getRecordByLogin(filter.filter(username),
null));
Review Comment:
Done.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
