guacamole-client icon indicating copy to clipboard operation
guacamole-client copied to clipboard

Published 20 hours ago verified publisher icon apache

GUACAMOLE-1020: Implement extension to enable additional restrictions

Open necouchman opened this issue 1 year ago • 13 comments

I've taken a run at implementing a decorating extension that allows users, groups, connections, and connection groups, to be restricted beyond the defaults provided by the base Guacamole implementation:

  • Restrict the times at which users can log in based on a "Day of the Week" schedule. This is implemented using both an "Allow at certain times" field, which, if present, will restrict the user to logins only during those times, and a "Deny at certain times" field, which, if present, will block the user from logging in during the specified times. This is implemented at both the individual user level, as well as a setting that can be applied to a group and will impact all the members of that group. Screenshot_2023-04-11_09-33-34 Screenshot_2023-04-11_10-46-48

  • Restrict the hosts from which users can log in, based on hostname, IP address, or CIDR notation. I've attempted to implement both IPv4 and IPv6 restrictions. Hostnames will be reverse-queried to resolve to IPs, and then they are checked against the user's login IP, if it's available. Screenshot_2023-04-11_10-50-45

  • Restrict the times at which connections and/or connection groups (of the Balancing variety) can be accessed, in the same "Day of the Week" schedule.

  • Restrict the hosts from which connections and/or connection groups (of the Balancing variety) can be accessed, using hostname, IP address, and/or CIDR range. Screenshot_2023-04-11_11-06-47

necouchman avatar Apr 11 '23 15:04 necouchman

Had you considered allowing either the weekday or time parts of the restrictions to be left out, rather than requiring both? It looks like most of the code would already be pretty close to supporting that.

I think it could be pretty handy - for example:

An admin might prefer to add rule a that a user can access a connection from 9:00 to 17:00 every day, and also add a couple of rules that the user cannot access the connection on Saturday or Sunday.

As opposed to right now it looks like they'd have to add 5 rules, one for each day of the week, and if they wanted to change the hours, they'd have to change all 5 of the rules.

If this is hard to implement, I'm fine with leaving it as a future enhancement,

jmuehlner avatar Apr 12 '23 23:04 jmuehlner

Had you considered allowing either the weekday or time parts of the restrictions to be left out, rather than requiring both? It looks like most of the code would already be pretty close to supporting that.

I had thought about it, but not quite so thorougly.

An admin might prefer to add rule a that a user can access a connection from 9:00 to 17:00 every day, and also add a couple of rules that the user cannot access the connection on Saturday or Sunday.

This should be pretty easy to do - I could add a RegEx/parsing rule that looks for an * to create a rule for every day. I could also look for values like WD for Week Day and WE for Week End. It should be pretty easy to map these through to the selection box on the web side so that you get Monday - Sunday, and then three more options: Every Day, Week Days, and Week Ends.

As opposed to right now it looks like they'd have to add 5 rules, one for each day of the week, and if they wanted to change the hours, they'd have to change all 5 of the rules.

Yep, that could be quite cumbersome.

If this is hard to implement, I'm fine with leaving it as a future enhancement,

Nah, I'll take a run at it, I think it should be pretty easy. Thanks for the suggestion!

necouchman avatar Apr 13 '23 02:04 necouchman

@jmuehlner I've taken a run at implementing what I think you were getting at with the multi-day options. Screenshot_2023-04-13_13-20-14

I also tweaked it so that 1) date is always stored in UTC in the database, and 2) the front-end form sticks with the user's timezone for the field itself, then translates to UTC when storing in the backend.

necouchman avatar Apr 13 '23 17:04 necouchman

This is all looking pretty reasonable to me - @mike-jumper thoughts?

jmuehlner avatar Apr 24 '23 23:04 jmuehlner

@mike-jumper Ping...

necouchman avatar Jun 03 '23 19:06 necouchman

:wave: Sorry about that. I'll take a look over this later today.

mike-jumper avatar Jun 03 '23 20:06 mike-jumper

@mike-jumper or @jmuehlner, anything else that needs tweaking on this one?

necouchman avatar Sep 01 '23 14:09 necouchman

Hi, is there any chance of having this merged with the release of the version 1.6.0, as it is not in the milestone? Thank you for your work.

Toumassa avatar Jan 11 '24 13:01 Toumassa

@Toumassa Yes, I would think we would target it for 1.6.0. I've updated the Jira issue accordingly.

necouchman avatar Jan 11 '24 14:01 necouchman

I can try and come up with something if there's no time, but would it be possible to display somewhere the active time restrictions for a connection? I imagine maybe an icon next to the connection group and hovering over it could display the time restrictions.

Also an ability that would close active connections for non-admins would be good too. (The ability for admins to still connect during a time restriction also doesn't seem to work)

stcbus avatar Feb 01 '24 21:02 stcbus

@mike-jumper @jmuehlner Gentle nudge.

necouchman avatar Mar 28 '24 15:03 necouchman

@mike-jumper Ping.

necouchman avatar Jun 14 '24 20:06 necouchman

I've made a few updates to it, while waiting for reviews - I implemented a Restrictable interface to make some of the methods common to anything that can be restricted, and reworked some of the code around that.

necouchman avatar Jul 29 '24 23:07 necouchman