GUACAMOLE-1020: Implement extension to enable additional restrictions

[necouchman]

I've taken a run at implementing a decorating extension that allows users, groups, connections, and connection groups, to be restricted beyond the defaults provided by the base Guacamole implementation:

• Restrict the times at which users can log in based on a "Day of the Week" schedule. This is implemented using both an "Allow at certain times" field, which, if present, will restrict the user to logins only during those times, and a "Deny at certain times" field, which, if present, will block the user from logging in during the specified times. This is implemented at both the individual user level, as well as a setting that can be applied to a group and will impact all the members of that group.
  
  

• Restrict the hosts from which users can log in, based on hostname, IP address, or CIDR notation. I've attempted to implement both IPv4 and IPv6 restrictions. Hostnames will be reverse-queried to resolve to IPs, and then they are checked against the user's login IP, if it's available.
  

• Restrict the times at which connections and/or connection groups (of the Balancing variety) can be accessed, in the same "Day of the Week" schedule.

• Restrict the hosts from which connections and/or connection groups (of the Balancing variety) can be accessed, using hostname, IP address, and/or CIDR range.
  

[jmuehlner]

Had you considered allowing either the weekday or time parts of the restrictions to be left out, rather than requiring both? It looks like most of the code would already be pretty close to supporting that.

I think it could be pretty handy - for example:

An admin might prefer to add rule a that a user can access a connection from 9:00 to 17:00 every day, and also add a couple of rules that the user cannot access the connection on Saturday or Sunday.

As opposed to right now it looks like they'd have to add 5 rules, one for each day of the week, and if they wanted to change the hours, they'd have to change all 5 of the rules.

If this is hard to implement, I'm fine with leaving it as a future enhancement,

[necouchman]

Had you considered allowing either the weekday or time parts of the restrictions to be left out, rather than requiring both? It looks like most of the code would already be pretty close to supporting that.

I had thought about it, but not quite so thorougly.

An admin might prefer to add rule a that a user can access a connection from 9:00 to 17:00 every day, and also add a couple of rules that the user cannot access the connection on Saturday or Sunday.

This should be pretty easy to do - I could add a RegEx/parsing rule that looks for an * to create a rule for every day. I could also look for values like WD for Week Day and WE for Week End. It should be pretty easy to map these through to the selection box on the web side so that you get Monday - Sunday, and then three more options: Every Day, Week Days, and Week Ends.

As opposed to right now it looks like they'd have to add 5 rules, one for each day of the week, and if they wanted to change the hours, they'd have to change all 5 of the rules.

Yep, that could be quite cumbersome.

If this is hard to implement, I'm fine with leaving it as a future enhancement,

Nah, I'll take a run at it, I think it should be pretty easy. Thanks for the suggestion!

[necouchman]

@jmuehlner I've taken a run at implementing what I think you were getting at with the multi-day options.

I also tweaked it so that 1) date is always stored in UTC in the database, and 2) the front-end form sticks with the user's timezone for the field itself, then translates to UTC when storing in the backend.

[jmuehlner]

LGTM, but it looks like there's an outstanding change request by @mike-jumper

[necouchman]

LGTM, but it looks like there's an outstanding change request by @mike-jumper

I'm not seeing any unresolved issues, but I'll scroll through it again and make sure, and wait for Mike's approval.

[jmuehlner]

LGTM, but it looks like there's an outstanding change request by @mike-jumper

I'm not seeing any unresolved issues, but I'll scroll through it again and make sure, and wait for Mike's approval.

Ah, looks like it was just the comment:

Initial partial review - I'm about 50% done reading through the full set of changes.

[mike-jumper]

LGTM, but it looks like there's an outstanding change request by @mike-jumper

I'm not seeing any unresolved issues, but I'll scroll through it again and make sure, and wait for Mike's approval.

Ah, looks like it was just the comment:

Initial partial review - I'm about 50% done reading through the full set of changes.

Heh - nice. :)

I'll read through things now.

[jmuehlner]

LGTM, but it looks like there's an outstanding change request by @mike-jumper

I'm not seeing any unresolved issues, but I'll scroll through it again and make sure, and wait for Mike's approval.

Ah, looks like it was just the comment:

Initial partial review - I'm about 50% done reading through the full set of changes.

Heh - nice. :)

I'll read through things now.

@mike-jumper any objections if I merge this? Did you stil have more you wanted to read through?

[mike-jumper]

Going to double-check the restriction logic, but everything else looks good.

[mike-jumper]

One minor change needed to ensure we don't issue too many queries. Otherwise, LGTM!

[mike-jumper]

Nice. I like this.