Subba Reddy Alamuru created GUACAMOLE-2219:
----------------------------------------------
Summary: Vault tokens not resolved for child connections in
BALANCING connection groups
Key: GUACAMOLE-2219
URL: https://issues.apache.org/jira/browse/GUACAMOLE-2219
Project: Guacamole
Issue Type: Bug
Reporter: Subba Reddy Alamuru
When connecting through a BALANCING connection group, vault-managed tokens
(e.g. KEEPER_USER_PASSWORD, KEEPER_USER_USERNAME) are not resolved for the
child connection selected by the load balancer. This causes authentication
failures (e.g. "invalid credentials" for RDP) on connections that work
correctly when connected to directly.
h3. Root Cause
{{TokenInjectingConnectionGroup.connect()}} calls
{{addTokens(ConnectionGroup)}} and then delegates to the underlying JDBC
connection group. For BALANCING groups, {{AbstractGuacamoleTunnelService}}
acquires the child connection internally and connects it directly — the child
is a raw {{ModeledConnection}}, not wrapped by {{TokenInjectingConnection}}.
Therefore {{addTokens(Connection)}} is never invoked for the selected child,
and vault tokens that depend on connection parameters (hostname, username) are
never resolved.
Additionally, {{KsmSecretService.getTokens()}} does not guard against a null
{{GuacamoleConfiguration}}, which is always null for connection groups (they
have no protocol configuration). This causes a {{NullPointerException}} before
the BALANCING group token resolution issue is even reached.
h3. Fix
# {{VaultUserContext.addTokens(ConnectionGroup)}} now detects BALANCING groups
and pre-resolves vault tokens for all child connections using privileged access
to connection configuration.
# {{KsmSecretService.getTokens()}} now returns early when {{config}} is null.
h3. Affected Versions
All versions with vault extension support (tested on 1.5.5 and 1.6.0).
PR: https://github.com/apache/guacamole-client/pull/1163
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
