GUACAMOLE-514: Add guacd support for extended VNC credentials.

This commit is contained in:
Nick Couchman 2019-08-02 23:14:17 -04:00
parent f962eab27a
commit 51ae8a41a1
5 changed files with 129 additions and 1 deletions

View File

@ -31,3 +31,32 @@ char* guac_vnc_get_password(rfbClient* client) {
return ((guac_vnc_client*) gc->data)->settings->password;
}
rfbCredential* guac_vnc_get_credentials(rfbClient* client, int credentialType) {
guac_client* gc = rfbClientGetClientData(client, GUAC_VNC_CLIENT_KEY);
rfbCredential *creds = malloc(sizeof(rfbCredential));
if (credentialType == rfbCredentialTypeUser) {
creds->userCredential.username = ((guac_vnc_client*) gc->data)->settings->username;
creds->userCredential.password = ((guac_vnc_client*) gc->data)->settings->password;
return creds;
}
else if (credentialType == rfbCredentialTypeX509) {
creds->x509Credential.x509ClientCertFile = ((guac_vnc_client*) gc->data)->settings->client_cert;
creds->x509Credential.x509ClientKeyFile = ((guac_vnc_client*) gc->data)->settings->client_key;
creds->x509Credential.x509CACertFile = ((guac_vnc_client*) gc->data)->settings->ca_cert;
creds->x509Credential.x509CACRLFile = ((guac_vnc_client*) gc->data)->settings->ca_crl;
if (creds->x509Credential.x509CACRLFile != NULL)
creds->x509Credential.x509CrlVerifyMode = 2;
else
creds->x509Credential.x509CrlVerifyMode = 0;
return creds;
}
guac_client_log(client, GUAC_LOG_ERROR,
"Unknown credential type requested.");
return NULL;
}

View File

@ -27,7 +27,7 @@
/**
* Callback which is invoked by libVNCServer when it needs to read the user's
* VNC password. As ths user's password, if any, will be stored in the
* VNC password. As this user's password, if any, will be stored in the
* connection settings, this function does nothing more than return that value.
*
* @param client
@ -38,5 +38,19 @@
*/
char* guac_vnc_get_password(rfbClient* client);
/**
* Callback which is invoked by libVNCServer when it needs to read the user's
* VNC credentials. The credentials are stored in the connection settings,
* so they will be retrieved from that.
*
* @param client
* The rfbClient associated with the VNC connection requiring the
* authentication.
*
* @return
* The rfbCredential object that contains the required credentials.
*/
rfbCredential* guac_vnc_get_credentials(rfbClient* client, int credentialType);
#endif

View File

@ -35,7 +35,12 @@ const char* GUAC_VNC_CLIENT_ARGS[] = {
"port",
"read-only",
"encodings",
"username",
"password",
"client-cert",
"client-key",
"ca-cert",
"ca-crl",
"swap-red-blue",
"color-depth",
"cursor",
@ -108,11 +113,38 @@ enum VNC_ARGS_IDX {
*/
IDX_ENCODINGS,
/**
* The username to send to the VNC server if authentication is requested.
*/
IDX_USERNAME,
/**
* The password to send to the VNC server if authentication is requested.
*/
IDX_PASSWORD,
/**
* The client certificate to send to the VNC server if x509 authentication
* is being used.
*/
IDX_CLIENT_CERT,
/**
* The client private key to send to the VNC server if x509 authentication
* is being used.
*/
IDX_CLIENT_KEY,
/**
* The CA certificate to use when performing x509 authentication.
*/
IDX_CA_CERT,
/**
* The location of the CA CRL to use when performing x509 authentication.
*/
IDX_CA_CRL,
/**
* "true" if the red and blue components of each color should be swapped,
* "false" or blank otherwise. This is mainly used for VNC servers that do
@ -337,10 +369,30 @@ guac_vnc_settings* guac_vnc_parse_args(guac_user* user,
guac_user_parse_args_int(user, GUAC_VNC_CLIENT_ARGS, argv,
IDX_PORT, 0);
settings->username =
guac_user_parse_args_string(user, GUAC_VNC_CLIENT_ARGS, argv,
IDX_USERNAME, ""); /* NOTE: freed by libvncclient */
settings->password =
guac_user_parse_args_string(user, GUAC_VNC_CLIENT_ARGS, argv,
IDX_PASSWORD, ""); /* NOTE: freed by libvncclient */
settings->client_cert =
guac_user_parse_args_string(user, GUAC_VNC_CLIENT_ARGS, argv,
IDX_CLIENT_CERT, NULL);
settings->client_key =
guac_user_parse_args_string(user, GUAC_VNC_CLIENT_ARGS, argv,
IDX_CLIENT_KEY, NULL);
settings->ca_cert =
guac_user_parse_args_string(user, GUAC_VNC_CLIENT_ARGS, argv,
IDX_CA_CERT, NULL);
settings->ca_crl =
guac_user_parse_args_string(user, GUAC_VNC_CLIENT_ARGS, argv,
IDX_CA_CRL, NULL);
/* Remote cursor */
if (strcmp(argv[IDX_CURSOR], "remote") == 0) {
guac_user_log(user, GUAC_LOG_INFO, "Cursor rendering: remote");
@ -530,6 +582,10 @@ void guac_vnc_settings_free(guac_vnc_settings* settings) {
free(settings->hostname);
free(settings->recording_name);
free(settings->recording_path);
free(settings->client_cert);
free(settings->client_key);
free(settings->ca_cert);
free(settings->ca_crl);
#ifdef ENABLE_VNC_REPEATER
/* Free VNC repeater settings */

View File

@ -45,11 +45,37 @@ typedef struct guac_vnc_settings {
*/
int port;
/**
* The username given in the arguments.
*/
char* username;
/**
* The password given in the arguments.
*/
char* password;
/**
* The client certificate to use for authentication.
*/
char* client_cert;
/**
* The client private key to use for authentication.
*/
char* client_key;
/**
* The CA certificate file to use for authentication.
*/
char* ca_cert;
/**
* The CA CRL location to use for checking for revoked certificates during
* authentication.
*/
char* ca_crl;
/**
* Space-separated list of encodings to use within the VNC session.
*/

View File

@ -153,6 +153,9 @@ rfbClient* guac_vnc_get_client(guac_client* client) {
}
/* Authentication */
rfb_client->GetCredential = guac_vnc_get_credentials;
/* Password */
rfb_client->GetPassword = guac_vnc_get_password;