guacamole-client icon indicating copy to clipboard operation
guacamole-client copied to clipboard
verified publisher icon apache

GUACAMOLE-2137: Introduce HashiCorp Vault token handler (based on the KSM module)

Open TdlQ opened this issue 3 months ago • 2 comments

This PR introduces a new module to handle HashiCorp Vault tokens. It is heavily inspired by and reuses a significant amount of code from the existing KSM module.

The main goal is to provide a dedicated, lightweight solution for fetching secrets from HashiCorp Vault for use in Guacamole connection parameters. This allows for replacing static credentials with dynamic, centrally managed secrets.

Key Features & Implementation Details

  • Token Format: The module uses a new token format, ${HASHIVAULT:path/to/secret/key}, to reference secrets stored in Vault. For example: Password: ${HASHIVAULT:path/to/my/server/guacamole_connection/password}.
  • Centralized Configuration: Vault configuration is managed through a base64-encoded JSON object (vault_url, vault_token, cache_lifetime), which is stored in the HV_CONFIG parameter and can be overridden at connection groups level.
  • Efficient Caching: The module is optimized for performance. When multiple tokens reference the same Vault path (e.g., username and password from the same secret), it performs only a single HTTP query to Vault. Subsequent requests for keys within the same path are served directly from a concurrent, time-based cache.
  • Asynchronous Handling: All Vault queries are performed asynchronously to prevent blocking the connection process. This is achieved using CompletableFuture and a "in-flight" request caching pattern to handle concurrent requests for the same secret efficiently.

Notable Differences and Design Choices (vs KSM)

  • Simplicity: This module is designed to be a simpler, more lightweight alternative to the KSM module, focusing exclusively on basic token handling. It intentionally lacks more advanced features.
  • Execution Order: The setAttributes() method now directly calls processAttributes() to ensure correct execution order, which was an issue observed during development.
  • User Custom Configuration: The user-defined configuration part is currently a placeholder. It mimics KSM's design but might be simplified or removed in the future if a clear use case for it does not emerge.

TdlQ avatar Sep 16 '25 15:09 TdlQ

Hi, can you provide an example of the hv-config property please ?

Jenjamsan avatar Sep 30 '25 14:09 Jenjamsan

Hi, can you provide an example of the hv-config property please ?

To generate one of those configs in the shell, install "jq". Then you pass the base64 string to the guacamole docker in your .env, if you're using docker.

export HV_CONFIG_B64=$(jq -n --arg url "https://your-vault-only..com"
--arg tok "THE_TOKEN_FROM_VAULT_GENERATED_USING_VAULT_CLI"
--arg cache "300s"
'{vault_url:$url, vault_token:$tok, cache_lifetime:$cache}' | base64 -w0)

dcruzrinkel avatar Oct 10 '25 11:10 dcruzrinkel