mike-jumper commented on code in PR #753:
URL: https://github.com/apache/guacamole-client/pull/753#discussion_r954144464
##########
extensions/guacamole-vault/modules/guacamole-vault-ksm/src/main/java/org/apache/guacamole/vault/ksm/secret/KsmClient.java:
##########
@@ -250,13 +292,38 @@ private void validateCache() throws GuacamoleException {
String hostname = recordService.getHostname(record);
addRecordForHost(record, hostname);
- // Store based on username ONLY if no hostname (will otherwise
- // result in ambiguous entries for servers tied to identical
- // accounts)
- if (hostname == null)
- addRecordForLogin(record,
recordService.getUsername(record));
+ // ... and domain
+ String domain = recordService.getDomain(record);
+ addRecordForDomain(record, domain);
+
+ // Get the username off of the record
+ String username = recordService.getUsername(record);
+
+ // If we have a username, and there isn't already a domain
explicitly defined
+ if (username != null && domain == null
+ && confService.getSplitWindowsUsernames()) {
- });
+ // Attempt to split out the domain of the username
+ WindowsUsername usernameAndDomain = (
+
WindowsUsername.splitWindowsUsernameFromDomain(username));
+
+ // Use the username-split domain if not already set
explicitly
+ if (usernameAndDomain.hasDomain())
+ domain = usernameAndDomain.getDomain();
+ addRecordForDomain(record, domain);
+
+ }
+
+ // If domain matching is not enabled for user records,
+ // explicitly set all domains to null to allow matching
+ // on username only
+ if (!confService.getMatchUserRecordsByDomain())
+ domain = null;
+
+ // Store the login by username and domain
+ addRecordForLogin(record, username, domain);
Review Comment:
Given a record with a login like `DOMAIN\Username`, no field named "domain",
and with domain splitting and domain matching enabled, this looks like it will:
1. Index that record as the username `DOMAIN\Username`.
2. Index that record again with the domain+username pair.
Is that intended?
My thinking was that the intended behavior was:
* Domain (if present) and username are pulled from the record. If splitting
is enabled, that domain _might_ come from splitting the username, in which case
the username will be missing the domain.
* Records are indexed by domain (however that gets retrieved) and by either
domain+username (if domain matching is enabled) or just username (if domain
matching is not enabled).
If the above is true, then I'd think it would be better to abstract this
away beneath the record service, such that `getUsername()` and `getDomain()`
retrieve what we are considering to be the record's username and domain,
transparently taking splitting into account.
##########
extensions/guacamole-vault/modules/guacamole-vault-ksm/src/main/java/org/apache/guacamole/vault/ksm/secret/KsmSecretService.java:
##########
@@ -338,12 +332,59 @@ public Map<String, Future<String>> getTokens(UserContext
userContext, Connectabl
addRecordTokens(tokens, "KEEPER_GATEWAY_",
ksm.getRecordByHost(filter.filter(gatewayHostname)));
+ // Retrieve and define domain tokens, if any
+ String domain = parameters.get("domain");
+ String filteredDomain = null;
+ if (domain != null && !domain.isEmpty()) {
+ filteredDomain = filter.filter(domain);
+ addRecordTokens(tokens, "{KEEPER_DOMAIN_",
Review Comment:
This should be `KEEPER_DOMAIN_`, not `{KEEPER_DOMAIN_`.
##########
extensions/guacamole-vault/modules/guacamole-vault-ksm/src/main/java/org/apache/guacamole/vault/ksm/secret/UserLogin.java:
##########
@@ -0,0 +1,121 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.vault.ksm.secret;
+
+import java.util.Objects;
+
+import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
+
+/**
+ * A class intended for use as a key in KSM user record client cache. This
+ * class contains both a username and a password. When identifying a KSM
+ * record using token syntax like "KEEPER_USER_*", the user record will
+ * actually be identified by both the user and domain, if the appropriate
+ * settings are enabled.
+ */
+class UserLogin {
+
+ /**
+ * The username associated with the user record.
+ * This field should never be null.
+ */
+ private final String username;
+
+ /**
+ * The domain associated with the user record.
+ * This field can be null.
+ */
+ private final String domain;
+
+ /**
+ * Create a new UserLogin instance with the provided username and
+ * domain. The domain may be null, but the username should never be.
+ *
+ * @param username
+ * The username to create the UserLogin instance with. This should
+ * never be null.
+ *
+ * @param domain
+ * The domain to create the UserLogin instance with. This can be null.
+ */
+ UserLogin(@Nonnull String username, @Nullable String domain) {
+ this.username = username;
+ this.domain = domain;
+ }
+
+ @Override
+ public int hashCode() {
+
+ final int prime = 31;
+
+ int result = 1;
+ result = prime * result + Objects.hashCode(domain);
+ result = prime * result + Objects.hashCode(username);
+
+ return result;
+
+ }
Review Comment:
> While I'm at it, I also switched to the simplified `Objects.hashCode`
method.
I think you can shorten things even further with
[`Objects.hash()`](https://docs.oracle.com/javase/8/docs/api/java/util/Objects.html#hash-java.lang.Object...-):
```java
return Objects.hash(domain, username);
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
