@Override public ExpressionResult evaluate(EvaluationContext evaluationContext, List<FunctionArgument> arguments) { if (arguments.size() != 2) { return ExpressionResult.newError(new StdStatus(StdStatusCode.STATUS_CODE_SYNTAX_ERROR)); } String cidr = String.class.cast(arguments.get(0).getValue().getValue()); String ipAddress = String.class.cast(arguments.get(1).getValue().getValue()); IpAddressMatcher matcher = new IpAddressMatcher(cidr); AttributeValue attributeValue; try { attributeValue = matcher.matches(ipAddress) ? DataTypeBoolean.AV_TRUE : DataTypeBoolean.AV_FALSE; } catch (IllegalArgumentException e) { return ExpressionResult.newError(new StdStatus(StdStatusCode.STATUS_CODE_PROCESSING_ERROR, "Invalid IP address: ".concat(ipAddress))); } return ExpressionResult.newSingle(attributeValue); }
private static boolean remoteAddressMatchesWhiteList(final String remoteAddress, final Set<String> whiteList) { for (final String entry : whiteList) { if (new IpAddressMatcher(entry).matches(remoteAddress)) { LOG.debug("Found matching white-list entry {} for remoteAddress={}", entry, remoteAddress); return true; } } LOG.error("Remote address {} is not matched white-list: {}", remoteAddress, whiteList); return false; }
/** * Check request against use specific whiteList of IP-address patterns. * * @return true, if at least one pattern matches. */ public boolean matchesWhiteList() { if (authentication.isAuthenticated() && authentication.getPrincipal() != null && authentication.getPrincipal() instanceof UserInfo) { final UserInfo userInfo = UserInfo.extractFrom(authentication); return getWhiteList(userInfo).stream().anyMatch(entry -> new IpAddressMatcher(entry).matches(request)); } return false; }
/** * Returns whether the given request can be used for authentication, taking * into account restrictions specified within guacamole.properties. * * @param request * The HTTP request to test. * * @return * true if the given request comes from a trusted source and can be * used for authentication, false otherwise. */ public boolean isAuthenticationAllowed(HttpServletRequest request) { // Pull list of all trusted networks Collection<String> trustedNetworks; try { trustedNetworks = confService.getTrustedNetworks(); } // Deny all requests if restrictions cannot be parsed catch (GuacamoleException e) { logger.warn("Authentication request from \"{}\" is DENIED due to parse error: {}", request.getRemoteAddr(), e.getMessage()); logger.debug("Error parsing authentication request restrictions from guacamole.properties.", e); return false; } // All requests are allowed if no restrictions are defined if (trustedNetworks.isEmpty()) { logger.debug("Authentication request from \"{}\" is ALLOWED (no restrictions).", request.getRemoteAddr()); return true; } // Build matchers for each trusted network Collection<IpAddressMatcher> matchers = new ArrayList<IpAddressMatcher>(trustedNetworks.size()); for (String network : trustedNetworks) matchers.add(new IpAddressMatcher(network)); // Otherwise ensure at least one subnet matches for (IpAddressMatcher matcher : matchers) { // Request is allowed if any subnet matches if (matcher.matches(request)) { logger.debug("Authentication request from \"{}\" is ALLOWED (matched subnet).", request.getRemoteAddr()); return true; } } // Otherwise request is denied - no subnets matched logger.debug("Authentication request from \"{}\" is DENIED (did not match subnet).", request.getRemoteAddr()); return false; }
