jmuehlner commented on code in PR #830: URL: https://github.com/apache/guacamole-client/pull/830#discussion_r1164746157
########## extensions/guacamole-auth-restrict/src/main/java/org/apache/guacamole/auth/restrict/RestrictionVerificationService.java: ########## @@ -0,0 +1,337 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.guacamole.auth.restrict; + +import inet.ipaddr.HostName; +import inet.ipaddr.HostNameException; +import inet.ipaddr.IPAddress; +import java.net.UnknownHostException; +import java.util.List; +import java.util.Map; +import java.util.Set; +import org.apache.guacamole.GuacamoleException; +import org.apache.guacamole.auth.restrict.connection.RestrictConnection; +import org.apache.guacamole.auth.restrict.user.RestrictUser; +import org.apache.guacamole.auth.restrict.usergroup.RestrictUserGroup; +import org.apache.guacamole.calendar.DailyRestriction; +import org.apache.guacamole.calendar.TimeRestrictionParser; +import org.apache.guacamole.host.HostRestrictionParser; +import org.apache.guacamole.language.TranslatableGuacamoleSecurityException; +import org.apache.guacamole.net.auth.AuthenticatedUser; +import org.apache.guacamole.net.auth.Directory; +import org.apache.guacamole.net.auth.UserContext; +import org.apache.guacamole.net.auth.UserGroup; +import org.apache.guacamole.net.auth.permission.SystemPermission; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +/** + * Service for verifying additional user login restrictions against a given + * login attempt. + */ +public class RestrictionVerificationService { + + /** + * Logger for this class. + */ + private static final Logger LOGGER = LoggerFactory.getLogger(RestrictionVerificationService.class); + + /** + * Parse out the provided strings of allowed and denied times, verifying + * whether or not a login or connection should be allowed at the current + * day and time. A boolean true will be returned if the action should be + * allowed, otherwise false will be returned. + * + * @param allowedTimeString + * The string containing the times that should be parsed to determine if + * the login or connection should be allowed at the current time, or + * null or an empty string if there are no specific allowed times defined. + * + * @param deniedTimeString + * The string containing the times that should be parsed to determine if + * the login or connection should be denied at the current time, or null + * or an empty string if there are no specific times during which a + * action should be denied. + * + * @return + * True if the login or connection should be allowed, otherwise false. + */ + private static boolean allowedByTimeRestrictions(String allowedTimeString, + String deniedTimeString) { + + // Check for denied entries, first, returning false if the login or + // connection should not be allowed. + if (deniedTimeString != null && !deniedTimeString.isEmpty()) { + List<DailyRestriction> deniedTimes = + TimeRestrictionParser.parseString(deniedTimeString); + + for (DailyRestriction restriction : deniedTimes) { + if (restriction.appliesNow()) + return false; + } + } + + // If no allowed entries are present, return true, allowing the login + // or connection to continue. + if (allowedTimeString == null || allowedTimeString.isEmpty()) + return true; + + List<DailyRestriction> allowedTimes = + TimeRestrictionParser.parseString(allowedTimeString); + + // Allowed entries are present, loop through them and check for a valid time. + for (DailyRestriction restriction : allowedTimes) { + // If this time allows the login or connection return true. + if (restriction.appliesNow()) + return true; + } + + // We have allowed entries, but login hasn't matched, so deny it. + return false; + + } + + /** + * Given the strings of allowed and denied hosts, verify that the login or + * connection should be allowed from the given remote address. If the action + * should not be allowed, return false - otherwise, return true. + * + * @param allowedHostsString + * The string containing a semicolon-separated list of hosts from + * which the login or connection should be allowed, or null or an empty + * string if no specific set of allowed hosts is defined. + * + * @param deniedHostsString + * The string containing a semicolon-separated list of hosts from + * which the login or connection should be denied, or null or an empty + * string if no specific set of denied hosts is defined. + * + * @param remoteAddress + * The IP address from which the user is logging in or has logged in + * and is attempting to connect from, if it is known. If it is unknown + * and restrictions are defined, the login or connection will be denied. + * + * @return + * True if the login or connection should be allowed by the host-based + * restrictions, otherwise false. + */ + private static boolean allowedByHostRestrictions(String allowedHostsString, + String deniedHostsString, String remoteAddress) { + + HostName remoteHostName = new HostName(remoteAddress); + + // If attributes do not exist or are empty then the action is allowed. + if ((allowedHostsString == null || allowedHostsString.isEmpty()) + && (deniedHostsString == null || deniedHostsString.isEmpty())) + return true; + + // If the remote address cannot be determined, and restrictions are + // in effect, log an error and deny the action. + if (remoteAddress == null || remoteAddress.isEmpty()) { + LOGGER.error("Host-based restrictions are present, but the remote address is invalid or could not be resolved."); Review Comment: `error` seems like a bit overkill for a case of something that we expected might be not present not being present. Seems like this should be `warning` at worst, or maybe even `info` if not knowing the remote address is really expected. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@guacamole.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
