adb014 commented on code in PR #1116: URL: https://github.com/apache/guacamole-client/pull/1116#discussion_r3100644333
########## extensions/guacamole-vault/modules/guacamole-vault-hv/src/main/java/org/apache/guacamole/vault/hv/conf/HvConfigurationService.java: ########## @@ -0,0 +1,204 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.guacamole.vault.hv.conf; + +import com.fasterxml.jackson.databind.JsonNode; +import com.fasterxml.jackson.databind.ObjectMapper; +import com.google.inject.Inject; +import com.google.inject.Singleton; +import java.io.IOException; +import java.nio.charset.StandardCharsets; +import java.util.Base64; +import java.util.HashMap; +import java.util.Map; +import javax.annotation.Nonnull; +import org.apache.guacamole.GuacamoleException; +import org.apache.guacamole.GuacamoleServerException; +import org.apache.guacamole.environment.Environment; +import org.apache.guacamole.properties.BooleanGuacamoleProperty; +import org.apache.guacamole.properties.StringGuacamoleProperty; +import org.apache.guacamole.vault.conf.VaultConfigurationService; + +@Singleton +public class HvConfigurationService extends VaultConfigurationService { + + /** + * Property name of the URL of the vault specified in the base64 configuration blob. + */ + public static final String PARAM_NAME_VAULT_URL = "vault_url"; + + /** + * Property name of the authentication token for the vault specified in the + * base64 configuration blob. + */ + public static final String PARAM_NAME_VAULT_TOKEN = "vault_token"; + + /** + * Property name of the maximum time that cached data is considered valid. + */ + public static final String PARAM_NAME_CACHE_LIFETIME = "cache_lifetime"; + + /** + * The Guacamole server environment. + */ + @Inject + private Environment environment; + + /** + * The name of the file which contains the YAML mapping of connection + * parameter token to secrets within Hashicorp Vault. + */ + private static final String TOKEN_MAPPING_FILENAME = "hv-token-mapping.yml"; + + /** + * The name of the properties file containing Guacamole configuration + * properties whose values are the names of corresponding secrets within + * Hashicorp Vault. + */ + private static final String PROPERTIES_FILENAME = "guacamole.properties.hv"; + + /** + * The base64-encoded configuration information. + */ + private static final StringGuacamoleProperty HV_CONFIG = new StringGuacamoleProperty() { + @Override + public String getName() { + return "hv-config"; + } + }; + + /** + * Whether unverified server certificates should be accepted. + */ + private static final BooleanGuacamoleProperty ALLOW_UNVERIFIED_CERT = new BooleanGuacamoleProperty() { + @Override + public String getName() { + return "hv-allow-unverified-cert"; + } + }; + + /** + * Whether users should be able to supply their own HV configurations. + */ + private static final BooleanGuacamoleProperty ALLOW_USER_CONFIG = new BooleanGuacamoleProperty() { + @Override + public String getName() { + return "hv-allow-user-config"; + } + }; + + /** + * Creates a new HvConfigurationService which reads the configuration + * from "hv-token-mapping.yml" and properties from + * "guacamole.properties.hv". The token mapping is a YAML file which lists + * each connection parameter token and the name of the secret from which + * the value for that token should be read, while the properties file is an + * alternative to guacamole.properties where each property value is the + * name of a secret containing the actual value. + */ + public HvConfigurationService() { + super(TOKEN_MAPPING_FILENAME, PROPERTIES_FILENAME); + } + + /** Review Comment: Should probably always return false here. Hashicorp is not really designed to allow users to store their own secrets in it. Yes its technically possible to create a mount path for a user and therir secrets and a dedicated token for this mount path, it practical terms its too painful to do it really... Removing this will simplify the code enormously -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
