guacamole-client 0.5.0

Rust client library for the Guacamole REST API
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175

use std::fmt;

use serde::{Deserialize, Serialize};

use crate::client::GuacamoleClient;
use crate::error::Result;
use crate::validation::{validate_data_source, validate_token};

/// Response from the Guacamole authentication endpoint.
#[derive(Clone, Default, PartialEq, Eq, Serialize, Deserialize)]
#[serde(rename_all = "camelCase")]
#[non_exhaustive]
pub struct AuthResponse {
    /// The session authentication token.
    #[serde(skip_serializing_if = "Option::is_none")]
    pub auth_token: Option<String>,

    /// The authenticated username.
    #[serde(skip_serializing_if = "Option::is_none")]
    pub username: Option<String>,

    /// The default data source for this session.
    #[serde(skip_serializing_if = "Option::is_none")]
    pub data_source: Option<String>,

    /// All data sources available to this user.
    #[serde(skip_serializing_if = "Option::is_none")]
    pub available_data_sources: Option<Vec<String>>,
}

impl fmt::Debug for AuthResponse {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        f.debug_struct("AuthResponse")
            .field("auth_token", &"<redacted>")
            .field("username", &self.username)
            .field("data_source", &self.data_source)
            .field("available_data_sources", &self.available_data_sources)
            .finish()
    }
}

impl GuacamoleClient {
    /// Authenticates with the Guacamole server and stores the session token.
    ///
    /// On success the client stores the token and default data source for
    /// subsequent API calls.
    pub async fn login(&mut self, username: &str, password: &str) -> Result<AuthResponse> {
        let url = self.url_unauth("/api/tokens");
        let response = self
            .http
            .post(&url)
            .form(&[("username", username), ("password", password)])
            .send()
            .await?;

        let auth: AuthResponse = Self::parse_response(response, "authentication").await?;

        if let Some(ref token) = auth.auth_token {
            validate_token(token)?;
        }

        if let Some(ref ds) = auth.data_source {
            validate_data_source(ds)?;
        }

        self.auth_token.clone_from(&auth.auth_token);
        self.data_source.clone_from(&auth.data_source);

        Ok(auth)
    }

    /// Logs out of the Guacamole server and clears the stored session.
    ///
    /// # Security note
    ///
    /// The Guacamole REST API requires the auth token in the URL path
    /// (`DELETE /api/tokens/{token}`). This means the token may appear in
    /// HTTP server access logs, reverse-proxy logs, and browser history.
    /// There is no alternative endpoint that accepts the token in a header.
    pub async fn logout(&mut self) -> Result<()> {
        let token = self.require_token()?.to_owned();
        let url = self.url_unauth(&format!("/api/tokens/{token}"));
        let response = self.http.delete(&url).send().await?;
        Self::handle_error(response, "logout").await?;

        self.auth_token = None;
        self.data_source = None;

        Ok(())
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn auth_response_serde_roundtrip() {
        let auth = AuthResponse {
            auth_token: Some("ABCDEF".to_string()),
            username: Some("guacadmin".to_string()),
            data_source: Some("mysql".to_string()),
            available_data_sources: Some(vec!["mysql".to_string(), "postgresql".to_string()]),
        };
        let json = serde_json::to_string(&auth).unwrap();
        let deserialized: AuthResponse = serde_json::from_str(&json).unwrap();
        assert_eq!(auth, deserialized);
    }

    #[test]
    fn auth_response_camel_case_keys() {
        let auth = AuthResponse {
            auth_token: Some("tok".to_string()),
            data_source: Some("mysql".to_string()),
            available_data_sources: Some(vec!["mysql".to_string()]),
            ..Default::default()
        };
        let json = serde_json::to_value(&auth).unwrap();
        assert!(json.get("authToken").is_some());
        assert!(json.get("dataSource").is_some());
        assert!(json.get("availableDataSources").is_some());
    }

    #[test]
    fn auth_response_debug_redacts_token() {
        let auth = AuthResponse {
            auth_token: Some("super-secret-token".to_string()),
            username: Some("guacadmin".to_string()),
            ..Default::default()
        };
        let debug_output = format!("{auth:?}");
        assert!(
            !debug_output.contains("super-secret-token"),
            "Debug must not contain the auth token"
        );
        assert!(debug_output.contains("<redacted>"));
        assert!(debug_output.contains("guacadmin"));
    }

    #[test]
    fn auth_response_skip_none_fields() {
        let auth = AuthResponse::default();
        let json = serde_json::to_value(&auth).unwrap();
        let obj = json.as_object().unwrap();
        assert!(obj.is_empty());
    }

    #[test]
    fn deserialize_from_api_json() {
        let json = r#"{
            "authToken": "168F8D0A2D68247F30B7E2E01187AEE2CF82186D",
            "username": "guacadmin",
            "dataSource": "mysql",
            "availableDataSources": ["mysql", "mysql-shared"]
        }"#;
        let auth: AuthResponse = serde_json::from_str(json).unwrap();
        assert_eq!(
            auth.auth_token.as_deref(),
            Some("168F8D0A2D68247F30B7E2E01187AEE2CF82186D")
        );
        assert_eq!(auth.username.as_deref(), Some("guacadmin"));
        assert_eq!(auth.data_source.as_deref(), Some("mysql"));
        assert_eq!(
            auth.available_data_sources,
            Some(vec!["mysql".to_string(), "mysql-shared".to_string()])
        );
    }

    #[test]
    fn auth_response_unknown_fields_ignored() {
        let json = r#"{"authToken": "tok", "unknownField": 42}"#;
        let auth: AuthResponse = serde_json::from_str(json).unwrap();
        assert_eq!(auth.auth_token.as_deref(), Some("tok"));
    }
}