Hi Nick,
I see from the dev group there's a lot of focus on the 1.6.0 release right
now, but just wanted to post my progress here, and if you or anyone has
time to confirm, that will at least save me the effort of continuing down a
blind alley.
I've been able to create an auth extension which provides its own
UserContext, and through the DecoratingDirectory class I can intercept the
connect() method which actually comes from the load-balancing connection
group feature of the jdbc extension. That function receives a
GuacamoleClientInformation object and some tokens, but nothing about the
remote end point. Calling super.connect() returns the GuacamoleTunnel which
is established, but now we're no better off than using a listener for the
TunnelConnect event; that class does not expose any information about the
remote side. Interestingly, the tunnel is shown as an
'org.apache.guacamole.auth.jdbc.tunnel.ActiveConnectionRecord', but I've
been unable to import any classes from the jdbc extension, and so can't use
any of the methods on it. I'm not sure if that's as expected, or whether my
environment isn't set up properly. I did try downloading the .jar for the
jdbc extension, and although I can compile then, the code crashes at
runtime.
I can get the tunnel UUID, and am wondering if I might then be able to use
the REST API to get information about the remote end, since this is
displayed in the admin UI? But that seems like a very round-about way of
doing it. If the underlying GuacamoleTunnel had a method to expose the
remote end info, that would be all we'd need...
Many thanks,
David
On Mon, 15 Jul 2024 at 13:33, David Lomas <d...@pale-eds.co.uk> wrote:
> Thanks Nick—shame it's not possible to get that information from the
> listener...
>
> I tried looking at the code you mentioned around DelegatingConnection and
> DelegatingConnectionGroup but I'm not sure if that's still within the
> confines of an authentication plugin or a more significant change to the
> code. At the moment, we're just returning a value from the
> AuthenticatedUser getEffectiveUserGroups() method which points to a
> statically defined (in the database) set of endpoints, using the load
> balancing capabilities within guacamole. Within the guac-manifest.json
> file, I see we can specify authProviders and listeners, but how do we
> integrate these overrides of methods like connect() which aren't part of
> auth or events?
>
> As you can probably tell, I'm learning both the language and guac
> architecture as we go here, so apologies if this is basic dev stuff. If
> there's any other extension code you can recommend I look at to learn how
> to structure this, much appreciated.
>
> Kind regards,
>
> David
>
> On Fri, 5 Jul 2024 at 20:08, Nick Couchman <vn...@apache.org> wrote:
>
>> On Thu, Jul 4, 2024 at 11:29 AM David Lomas <d...@pale-eds.co.uk.invalid>
>> wrote:
>>
>>> Hi,
>>>
>>> I've been able to build our authentication extension which returns a
>>> group assigned to a set of potential endpoints (all windows RDP servers),
>>> and these are allocated based on availability as people log in. But now
>>> we'd like to do some housekeeping on those target machines as people
>>> connect, and I'm struggling to get the eventual target host that is
>>> returned as part of that flow.
>>>
>>> I'd hoped to use the TunnelConnectEvent (and TunnelCloseEvent) using
>>> something like:
>>>
>>> public void handleEvent(Object event) throws GuacamoleException {
>>>
>>> if (event instanceof TunnelConnectEvent) {
>>> TunnelConnectEvent tce = (TunnelConnectEvent) event;
>>> AuthenticatedUser user = tce.getAuthenticatedUser();
>>> GuacamoleTunnel tunnel = tce.getTunnel();
>>> GuacamoleSocket socket = tunnel.getSocket();
>>>
>>> but at that point, the socket is a FailoverGuacamoleSocket which doesn't
>>> appear to support getting it's configuration. Is there some other way to
>>> get the hostname from that point?
>>>
>>>
>> Yeah, looking at the various GuacamoleSocket implementations, I do not
>> see that it is possible to work backward to the connection configuration
>> from that object.
>>
>>
>>> For reference, I'd been following
>>> https://github.com/atcomputing/guacamole-trigger and that extension
>>> specifically doesn't support non-configured sockets.
>>>
>>>
>> Yeah, and even in that example, the author is not working backward from a
>> GuacamoleSocket to a specific connection configuration or anything like
>> that.
>>
>> What you might need to do, instead of trying to intercept this with the
>> Event classes, is actually wrap either the Connection or ConnectionGroup
>> objects and then override the connect() to do any housekeeping before
>> calling the wrapped connect() method, and then after that finishes. The
>> DelegatingConnection and DelegatingConnectionGroup classes provide a good
>> framework for this - extending those classes should allow you to implement
>> what you need while passing the actual connection functionality to the
>> origin Connection and/or ConnectionGroup class.
>>
>>
>>> Many thanks,
>>>
>>> David
>>>
>>> PS—I'm aware this is quite a long way from 'user', but I wasn't sure if
>>> this kind of question is appropriate for dev@ Is there a better place
>>> for this?
>>>
>>
>> There is a dev@ list, and you're certainly welcome to subscribe to that
>> and ask, there. The audience is largely the same, likely a little smaller
>> on the dev@ list, and we're not terribly particular about forcing
>> conversations into one or the other. The main thing we ask is that people
>> don't double or cross-post - that is, same message to both lists, or one
>> message to one, then waiting a day for a response and sending it to the
>> other list.
>>
>> -Nick
>>
>>
>
