Re: 1.0.0 Release?
Unsubscibe. > On Dec 31, 2018, at 5:36 PM, Mike Jumper wrote: > > On Mon, Dec 31, 2018 at 8:59 AM Nick Couchman > wrote: > >>> >>> >>> Pretty good, I'd say. I'll type up draft release notes, etc. >>> >>> - Mike >>> >> >> Mike, >> Any progress on the release notes? I started working on some myself, if >> you haven't started on them I can finish up a cut and send those over? >> >> > I'm about half done (ish). Some is written while the rest is > outlined/stubbed. Here's what I have so far: > > https://github.com/mike-jumper/guacamole-website/tree/draft-1.0.0-RC1 > > If you'd like to assist, please do. I can pull commits off your fork, etc. > so that the ultimate pull request has both of our changes. > > - Mike
Re: 1.0.0 Release?
On Mon, Dec 31, 2018 at 8:59 AM Nick Couchman wrote: > > > > > > Pretty good, I'd say. I'll type up draft release notes, etc. > > > > - Mike > > > > Mike, > Any progress on the release notes? I started working on some myself, if > you haven't started on them I can finish up a cut and send those over? > > I'm about half done (ish). Some is written while the rest is outlined/stubbed. Here's what I have so far: https://github.com/mike-jumper/guacamole-website/tree/draft-1.0.0-RC1 If you'd like to assist, please do. I can pull commits off your fork, etc. so that the ultimate pull request has both of our changes. - Mike
[GitHub] guacamole-client pull request #351: GUACAMOLE-683: Add OpenID support in Doc...
Github user krisss85 commented on a diff in the pull request:
https://github.com/apache/guacamole-client/pull/351#discussion_r244620966
--- Diff: guacamole-docker/bin/start.sh ---
@@ -404,6 +404,37 @@ END
ln -s /opt/guacamole/radius/guacamole-auth-*.jar "$GUACAMOLE_EXT"
}
+## Adds properties to guacamole.properties which select the OPENID
+## authentication provider, and configure it to connect to the specified
OPENID
+## provider.
+##
+associate_openid() {
+
+# Verify required parameters are present
+if [ -z "$OPENID_AUTHORIZATION_ENDPOINT" -o -z "$OPENID_CLIENT_ID" ];
then
--- End diff --
makes sense indeed, pushed the changes
---
Re: 1.0.0 Release?
On Mon, Dec 31, 2018 at 11:59 AM Nick Couchman wrote: > >> Pretty good, I'd say. I'll type up draft release notes, etc. >> >> - Mike >> > > Mike, > Any progress on the release notes? I started working on some myself, if > you haven't started on them I can finish up a cut and send those over? > > Also, I have this one outstanding issue with the RADIUS module and > challenge authentication that I'm still tracking down. I don't think it > needs to block the 1.0.0 release - it could be classified as a "known > issue" - but I think I've figured out what's going on. As a reminder, the > situation occurs when the RADIUS module is stacked with other modules (e.g. > JDBC), when those other modules authenticate before the RADIUS module, and > when the RADIUS module requests additional credentials. When this happens, > instead of the web app requesting the additional credentials, it just fails > the authentication. > > Based on the debugging I've done, it does not look like the issue is in > the RADIUS module itself - it looks like maybe the errors thrown by the > individual modules get stacked or queued, and the first one in the queue is > the one that the REST API pushes to the web app. So, it goes something > like this: > - User attempts to log in with RADIUS credentials > - JDBC module fails the authentication, throwing an Invalid Credentials > Exception. > - Control is passed to the RADIUS module. > - RADIUS module needs additional credentials, throwing an Insufficient > Credentials Exception with the additional required credentials. > - REST API sends Invalid Credentials to the web app, and authentication > fails completely. > > I've done some debugging and added some logging to confirm that the RADIUS > module is behaving as expected, but that the 403 returned by the api/tokens > endpoint in the above scenario only contains the Invalid Credentials > Exception and not the Insufficient Credentials Exception. > > -Nick > Figured out what was going on, here, and opened a new JIRA issue (against the 1.0.0 release) and a pull request that should take care of this issue. -Nick
[GitHub] guacamole-client pull request #352: GUACAMOLE-684: Insufficient credentials ...
GitHub user necouchman opened a pull request: https://github.com/apache/guacamole-client/pull/352 GUACAMOLE-684: Insufficient credentials should take precedence over other failures This resolves an issue where, depending on the order of stacked authentication modules, `GuacamoleInsufficientCredentialsException`s are overriden by `GuacamoleInvalidCredentialsException`s that occur prior to the insufficient exceptions. This particular issue has come up with the RADIUS module when it gets a challenge/response and is stacked on top of the JDBC module, where the JDBC authentication occurs (and fails) prior to the RADIUS authentication attempt, and the additional credentials are never requested. You can merge this pull request into a Git repository by running: $ git pull https://github.com/necouchman/guacamole-client jira/684 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/guacamole-client/pull/352.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #352 commit a710558854092a162161d8e66d1634b5831e1824 Author: Nick Couchman Date: 2018-12-31T17:37:03Z GUACAMOLE-684: Insufficient credentials should take precedence over other credentials errors. ---
[GitHub] guacamole-client pull request #351: GUACAMOLE-683: Add OpenID support in Doc...
Github user necouchman commented on a diff in the pull request:
https://github.com/apache/guacamole-client/pull/351#discussion_r244603234
--- Diff: guacamole-docker/bin/start.sh ---
@@ -404,6 +404,37 @@ END
ln -s /opt/guacamole/radius/guacamole-auth-*.jar "$GUACAMOLE_EXT"
}
+## Adds properties to guacamole.properties which select the OPENID
+## authentication provider, and configure it to connect to the specified
OPENID
+## provider.
+##
+associate_openid() {
+
+# Verify required parameters are present
+if [ -z "$OPENID_AUTHORIZATION_ENDPOINT" -o -z "$OPENID_CLIENT_ID" ];
then
--- End diff --
According to the OpenID documentation
(http://guacamole.apache.org/doc/gug/openid-auth.html), the following
parameters are required:
- openid-authorization-endpoint
- openid-jwks-endpoint
- openid-issuer
- openid-client-id
- openid-redirect-uri
Seems like we should probably check for all of these as required, here, and
not just the authorization endpoint and client ID?
---
Re: 1.0.0 Release?
> > > Pretty good, I'd say. I'll type up draft release notes, etc. > > - Mike > Mike, Any progress on the release notes? I started working on some myself, if you haven't started on them I can finish up a cut and send those over? Also, I have this one outstanding issue with the RADIUS module and challenge authentication that I'm still tracking down. I don't think it needs to block the 1.0.0 release - it could be classified as a "known issue" - but I think I've figured out what's going on. As a reminder, the situation occurs when the RADIUS module is stacked with other modules (e.g. JDBC), when those other modules authenticate before the RADIUS module, and when the RADIUS module requests additional credentials. When this happens, instead of the web app requesting the additional credentials, it just fails the authentication. Based on the debugging I've done, it does not look like the issue is in the RADIUS module itself - it looks like maybe the errors thrown by the individual modules get stacked or queued, and the first one in the queue is the one that the REST API pushes to the web app. So, it goes something like this: - User attempts to log in with RADIUS credentials - JDBC module fails the authentication, throwing an Invalid Credentials Exception. - Control is passed to the RADIUS module. - RADIUS module needs additional credentials, throwing an Insufficient Credentials Exception with the additional required credentials. - REST API sends Invalid Credentials to the web app, and authentication fails completely. I've done some debugging and added some logging to confirm that the RADIUS module is behaving as expected, but that the 403 returned by the api/tokens endpoint in the above scenario only contains the Invalid Credentials Exception and not the Insufficient Credentials Exception. -Nick
