REST API - Create URL connection (Permission Denied)

[i . noska]

Hello,   I've installed Apache Guacamole v.1.5.4 on Linux CentOS 8.5  - 
I'm able to login to GUI, create users, connection, etc.   I installed 
database (MySQL) as well (to manage users, connection) with all needed *.jar 
files according to doc  guacamole.apache.org 
https://guacamole.apache.org/doc/gug/jdbc-auth.html   After that, I'm able 
to login as ""guacadmin" user to GUI and manage connections etc.   
Now, I want to create URL to direct connection to my VM, but I found errors 
like below:   ------------------------------  SCRIPT 
-------------------------------------  #!/bin/bash    TOKEN=$(curl -s -X POST 
-H "Content-Type: application/x-www-form-urlencoded" -d 
"username=guacadmin&password=guacadmin"  localhost:8080 
http://localhost:8080/guacamole/api/tokens  | jq -r '.authToken')   # 
Endpoint API Guacamole  API_ENDPOINT=" localhost:8080 
http://localhost:8080/guacamole/api/session/data/mysql/connections "   
CONNECTION_DATA='{    "name": "Connection name",    
"protocol": "rdp",    "parameters": {        
"hostname": "10.194.53.45",        "port": 
"3389",        "username": "user",        
"password": "password"    }  }'   RESPONSE=$(curl -s -X 
POST -H "Content-Type: application/json" -H "Authorization: Bearer 
$TOKEN" -d "$CONNECTION_DATA" $API_ENDPOINT)   CONNECTION_ID=$(echo 
$RESPONSE | jq -r '.identifier')   if [ "$CONNECTION_ID" != 
"null" ]; then    URL=" localhost:8080 
http://localhost:8080/guacamole/#/client/$CONNECTION_ID?token=$TOKEN "    
echo "Connection ID: $CONNECTION_ID"    echo "URL: $URL"  else  
  echo "Error creating connection."  fi   
------------------------------ OUTPUT ------------------------------------  
Response: {"message":"Permission 
Denied.","translatableMessage":{"key":"APP.TEXT_UNTRANSLATED","variables":{"MESSAGE":"Permission
 
Denied."}},"statusCode":null,"expected":null,"type":"PERMISSION_DENIED"}
   Error creating connection.  ------------------------------ OUTPUT  END 
-------------------------------      ---------------------------------- L O G S 
----------------------------------  Apache Tomcat & system messages:   
0:0:0:0:0:0:0:1 - - [09/Feb/2024:12:32:36 +0100] "GET 
/guacamole/api/session/data/mysql/users/self HTTP/1.1" 403 192  
0:0:0:0:0:0:0:1 - - [09/Feb/2024:12:32:36 +0100] "GET 
/guacamole/api/session/data/mysql/users/self HTTP/1.1" 403 192    Feb  9 
12:32:36 server[90877]: 12:32:36.207 [http-nio-8080-exec-7] DEBUG 
o.a.i.t.jdbc.JdbcTransaction - Committing JDBC Connection 
[com.mysql.cj.jdbc.ConnectionImpl@7c9de5c2]   Feb  9 12:32:36 server[90877]: 
12:32:36.212 [http-nio-8080-exec-7] DEBUG o.a.i.t.jdbc.JdbcTransaction - 
Resetting autocommit to true on JDBC Connection 
[com.mysql.cj.jdbc.ConnectionImpl@7c9de5c2]  Feb  9 12:32:36 server[90877]: 
12:32:36.213 [http-nio-8080-exec-7] DEBUG o.a.i.t.jdbc.JdbcTransaction - 
Closing JDBC Connection [com.mysql.cj.jdbc.ConnectionImpl@7c9de5c2]  Feb  9 
12:32:36 server[90877]: 12:32:36.213 [http-nio-8080-exec-7] DEBUG 
o.a.i.d.pooled.PooledDataSource - Testing connection 2090722754 ...  Feb  9 
12:32:36 server[90877]: 12:32:36.214 [http-nio-8080-exec-7] DEBUG 
o.a.i.d.pooled.PooledDataSource - Connection 2090722754 is GOOD!  Feb  9 
12:32:36 server[90877]: 12:32:36.214 [http-nio-8080-exec-7] DEBUG 
o.a.i.d.pooled.PooledDataSource - Returned connection 2090722754 to pool.  Feb  
9 12:32:36 server[90877]: 12:32:36.214 [http-nio-8080-exec-7] DEBUG 
o.a.g.r.auth.AuthenticationService - Login was successful for user 
"guacadmin".  Feb  9 12:32:36 server[90877]: 12:32:36.230 
[http-nio-8080-exec-8] DEBUG o.a.g.rest.RESTExceptionMapper - Client request 
rejected: Permission Denied.  ---------------------------------- L O G S END 
----------------------------------   MESSAGE:  DEBUG 
o.a.g.rest.RESTExceptionMapper - Client request rejected: Permission Denied.    
-------------- DATABASE INFO (Permission) ------------------------------------  
mysql> SELECT * FROM guacamole_entity JOIN guacamole_user_permission ON 
guacamole_entity.entity_id = guacamole_user_permission.entity_id WHERE 
guacamole_entity.name = 'guacadmin';   
+-----------+-----------+------+-----------+------------------+------------+  | 
entity_id | name      | type | entity_id | affected_user_id | permission |  
+-----------+-----------+------+-----------+------------------+------------+  | 
        1 | guacadmin | USER |         1 |                1 | READ       |  |   
      1 | guacadmin | USER |         1 |                1 | UPDATE     |  |     
    1 | guacadmin | USER |         1 |                1 | ADMINISTER |  |       
  1 | guacadmin | USER |         1 |                2 | READ       |  |         
1 | guacadmin | USER |         1 |                2 | UPDATE     |  |         1 
| guacadmin | USER |         1 |                2 | DELETE     |  |         1 | 
guacadmin | USER |         1 |                2 | ADMINISTER |  
+-----------+-----------+------+-----------+------------------+------------+    
I want to be able to dynamically create a URL after clicking on it, which will 
open the VM window in browser (without having to enter parameters, username or 
password).   -- THANK YOU FOR HELP!  Best Regards,  Marcin



        Dnia 18 stycznia 2024 12:41 Nick Couchman <vn...@apache.org> 
napisał(a):



         On Thu, Jan 18, 2024 at 1:03 AM anoop yadav <  anoop...@gmail.com 
> wrote:  I am trying to build a Web app where users can create multiple 
Ubuntu instances and use them through my web app. The domain for my web app is  
example-app.com example-app.com  which is written in reactjs. I have hosted 
guacamole clients on separate subdomains  lab.example-app.com 
lab.example-app.com .   In the reactjs app, I am using the Iframe (Not sure if 
there is any other way) to show  lab.example-app.com lab.example-app.com  
(guacamole client app), since I don't want the user to do another login on 
the guacamole app. I am planning to use a token. My current logic is as 
follows:  1. When the user creates an account (the backend is in Django-python) 
I make a rest API request to create an account, get a token from guacamole and 
save it to the web app database. 2. When the user creates an Ubuntu instance, 
using the rest API I create a connection and associate the user with it. I save 
a URL like  lab.example-app.com lab.example-app.com/guacamole/#/client/ 
<CONNECTION>?token=<TOKEN>   Everything works fine, the user can 
access multiple connections but since the token has a lifetime, and after that 
time the URL is not working.   To be clear, the token does not have a lifetime, 
it has an *idle lifetime* - that is, it times out after a certain period of 
inactivity. As long as the Guacamole instance is being used - for an active 
connection, for example - the token will remain valid.    How do I manage the 
token so that it doesn't expire?   You can set the api-session-timeout 
property in guacamole.properties to adjust the *idle lifetime* of the token - 
see  guacamole.apache.org 
https://guacamole.apache.org/doc/gug/configuring-guacamole.html#guacamole-properties
 .  That said, I don't think you really want it to never expire - at least, 
from a security perspective, I would not recommend that, even if you're 
doing some other cleanup of the tokens from your web application. You may want 
to extend it such that it more closely fits in with your use case, but setting 
it to either never expire (which isn't really possible) or even a very long 
idle time just adds security risk to the application.  -Nick