tkuhlengel opened a new pull request, #1170: URL: https://github.com/apache/guacamole-client/pull/1170
PR corresponding to https://issues.apache.org/jira/browse/GUACAMOLE-2224 ## Problem When a user authenticates via an external SSO provider (e.g. SAML with Azure AD), the identity provider asserts group membership by name. These names are stored on the `AuthenticatedUser` and surfaced through `getEffectiveUserGroups()`. The previous implementation in `ModeledAuthenticatedUser` resolved this with a flat union: ```java return Sets.union(user.getEffectiveUserGroups(), super.getEffectiveUserGroups()); ``` This combined the user's database group memberships with the raw SSO claims, but made no attempt to walk the database group hierarchy. If `child-group` (matched by SAML claim) was a member of `parent-group` in the database, `parent-group` was never included — and any permissions granted only to `parent-group` were invisible to the SSO user. Database-native users were unaffected because their memberships are stored as `entity_id` references already handled by the existing recursive expansion in `EntityService`. --- ## Changes ### `ModeledPermissions.expandEffectiveGroups()` — guacamole-auth-jdbc-base A new method delegates to `EntityService.retrieveEffectiveGroups()`, passing caller-provided external group names as additional seeds for recursive DB group expansion: ```java public Set<String> expandEffectiveGroups(Collection<String> externalEffectiveGroups) { return entityService.retrieveEffectiveGroups(this, externalEffectiveGroups); } ``` This exposes the existing recursive CTE logic as a callable entry point on the permissions object. ### `ModeledAuthenticatedUser.getEffectiveUserGroups()` — guacamole-auth-jdbc-base The flat union is replaced with a call to `expandEffectiveGroups()`, passing the raw SSO claims as seeds: ```java @Override public Set<String> getEffectiveUserGroups() { return user.expandEffectiveGroups(super.getEffectiveUserGroups()); } ``` `super.getEffectiveUserGroups()` returns the SSO group name claims from the originating `AuthenticatedUser`. These are now fed into the recursive expansion, so any ancestor groups of those claims in the database are included in the result — making inherited permissions visible to SSO users. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
