Credential hand-over to sub-servers (Wrdp/canonical stack)#1409
Credential hand-over to sub-servers (Wrdp/canonical stack)#1409Rui Carmo (rcarmo) wants to merge 3 commits into
Conversation
There was a problem hiding this comment.
Pull request overview
This PR enables IronRDP-based servers to own the RDP handshake and credential collection while handing off the authenticated session to a separate per-user process (the "wrdp"/xrdp-sesman multi-user model). It threads CredSSP-delegated credentials into AcceptorResult::credentials, adds a same-TCP-connection credential cache so reactivation can reuse a validated identity, and introduces a ConnectionBinder hook that swaps in per-user display/input handlers after credentials are available.
Changes:
- Capture CredSSP/Hybrid delegated
TSPasswordCredsfrom the CredSSP server state machine and expose them viaAcceptorResult::credentials(previously TLSClientInfoPduonly). - Add
ConnectionBinder/BoundConnectionserver API (builder + setter + re-exports) that replaces display/input handlers post-auth. - Centralize credential resolution in
resolve_authenticated_credentials, backed by anaccept_finalize()-scoped cache for reactivation, plus unit tests anddocs/wrdp/notes.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
crates/ironrdp-acceptor/src/credssp.rs |
handle_process_result now returns the delegated AuthIdentity alongside Written. |
crates/ironrdp-acceptor/src/lib.rs |
Stores CredSSP-delegated credentials into the acceptor during the CredSSP loop. |
crates/ironrdp-acceptor/src/connection.rs |
Adds set_received_credssp_credentials and updates AcceptorResult::credentials docs to cover CredSSP. |
crates/ironrdp-server/src/server.rs |
Adds ConnectionBinder/BoundConnection, binder invocation in client_accepted, reactivation cache + resolve_authenticated_credentials, and tests. |
crates/ironrdp-server/src/builder.rs |
Wires connection_binder through the builder and build(). |
crates/ironrdp-server/src/lib.rs |
Re-exports BoundConnection/ConnectionBinder. |
docs/wrdp/*.md |
New design notes for auth delegation, CredSSP handoff, and reactivation cache scope. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| let authenticated_credentials = resolve_authenticated_credentials( | ||
| self.credential_validator.clone(), | ||
| result.credentials.as_ref(), | ||
| result.reactivation, | ||
| authenticated_credentials_cache, | ||
| ) | ||
| .await?; |
There was a problem hiding this comment.
Fixed on the canonical rcarmo/IronRDP:wrdp branch in b51bd0a68fb26bfc179571f59ea137eccc850fce and retained at 3b05f6fc70d91c2529df8454ce73a292c05195e6: client_accepted now catches credential-resolution failures, sends ServerSetErrorInfoPdu(ServerDeniedConnection) via send_access_denied(...), then returns the original error.
|
|
||
| /// Set or clear a post-auth connection binder. | ||
| /// | ||
| /// When set, the binder is called after credentials have been validated. |
There was a problem hiding this comment.
Mitigated on the canonical rcarmo/IronRDP:wrdp branch in b51bd0a68fb26bfc179571f59ea137eccc850fce and retained at 3b05f6fc70d91c2529df8454ce73a292c05195e6: the setter docs now say the binder runs when authenticated credentials are available, not strictly only after a configured validator accepts them.
|
Closing in favor of #1413, which my agent put together based on Copilot feedback |
Hello!
I am creating a “wrdp” server that follows the xrdp-sesman model, and broke off this set of commits (along with a little note you can discard) that allows IronRDP to effectively own credential handling while still enabling session hand-off to a process that will then handle the actual user session setup - without that process needing to reinvent the wheel.