You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@guacamole.apache.org by mj...@apache.org on 2017/10/27 17:50:59 UTC
[15/24] incubator-guacamole-client git commit: GUACAMOLE-362: Move
password decryption logic into TicketValidationService class.
GUACAMOLE-362: Move password decryption logic into TicketValidationService class.
Project: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/commit/62fafcb3
Tree: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/tree/62fafcb3
Diff: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/diff/62fafcb3
Branch: refs/heads/staging/0.9.14-incubating
Commit: 62fafcb379f96bb6850f1b4cbb0339072fe0f9f6
Parents: 6313432
Author: Nick Couchman <vn...@apache.org>
Authored: Wed Sep 27 11:13:51 2017 -0400
Committer: Nick Couchman <ni...@yahoo.com>
Committed: Fri Oct 27 13:05:13 2017 -0400
----------------------------------------------------------------------
.../auth/cas/AuthenticationProviderService.java | 114 ++-----------------
.../cas/ticket/TicketValidationService.java | 108 +++++++++++++++++-
2 files changed, 113 insertions(+), 109 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/62fafcb3/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/AuthenticationProviderService.java
----------------------------------------------------------------------
diff --git a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/AuthenticationProviderService.java b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/AuthenticationProviderService.java
index 171c30f..325268e 100644
--- a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/AuthenticationProviderService.java
+++ b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/AuthenticationProviderService.java
@@ -21,32 +21,11 @@ package org.apache.guacamole.auth.cas;
import com.google.inject.Inject;
import com.google.inject.Provider;
-import java.io.BufferedInputStream;
-import java.io.File;
-import java.io.FileInputStream;
-import java.io.FileNotFoundException;
-import java.io.InputStream;
-import java.io.IOException;
-import java.lang.IllegalArgumentException;
-import java.security.InvalidKeyException;
-import java.security.KeyFactory;
-import java.security.NoSuchAlgorithmException;
-import java.security.PrivateKey;
-import java.security.spec.KeySpec;
-import java.security.spec.PKCS8EncodedKeySpec;
import java.util.Arrays;
-import java.util.Enumeration;
-import javax.crypto.BadPaddingException;
-import javax.crypto.Cipher;
-import javax.crypto.IllegalBlockSizeException;
-import javax.crypto.NoSuchPaddingException;
import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpSession;
-import javax.xml.bind.DatatypeConverter;
import org.apache.guacamole.environment.Environment;
import org.apache.guacamole.form.Field;
import org.apache.guacamole.GuacamoleException;
-import org.apache.guacamole.GuacamoleServerException;
import org.apache.guacamole.net.auth.Credentials;
import org.apache.guacamole.net.auth.credentials.CredentialsInfo;
import org.apache.guacamole.net.auth.credentials.GuacamoleInsufficientCredentialsException;
@@ -54,9 +33,6 @@ import org.apache.guacamole.auth.cas.conf.ConfigurationService;
import org.apache.guacamole.auth.cas.form.CASTicketField;
import org.apache.guacamole.auth.cas.ticket.TicketValidationService;
import org.apache.guacamole.auth.cas.user.AuthenticatedUser;
-import org.jasig.cas.client.authentication.AttributePrincipal;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
/**
* Service providing convenience functions for the CAS AuthenticationProvider
@@ -65,11 +41,6 @@ import org.slf4j.LoggerFactory;
public class AuthenticationProviderService {
/**
- * Logger for this class.
- */
- private static final Logger logger = LoggerFactory.getLogger(AuthenticationProviderService.class);
-
- /**
* Service for retrieving CAS configuration information.
*/
@Inject
@@ -116,16 +87,17 @@ public class AuthenticationProviderService {
if (request != null) {
String ticket = request.getParameter(CASTicketField.PARAMETER_NAME);
if (ticket != null) {
- AuthenticatedUser authenticatedUser = authenticatedUserProvider.get();
- AttributePrincipal principal = ticketService.validateTicket(ticket);
- String username = principal.getName();
- Object credObj = principal.getAttributes().get("credential");
- if (credObj != null) {
- String clearPass = decryptPassword(credObj.toString());
- if (clearPass != null && !clearPass.isEmpty())
- credentials.setPassword(clearPass);
+ Credentials ticketCredentials = ticketService.validateTicket(ticket);
+ if (ticketCredentials != null) {
+ String username = ticketCredentials.getUsername();
+ if (username != null)
+ credentials.setUsername(username);
+ String password = ticketCredentials.getPassword();
+ if (password != null)
+ credentials.setPassword(password);
}
- authenticatedUser.init(username, credentials);
+ AuthenticatedUser authenticatedUser = authenticatedUserProvider.get();
+ authenticatedUser.init(credentials.getUsername(), credentials);
return authenticatedUser;
}
}
@@ -147,70 +119,4 @@ public class AuthenticationProviderService {
}
- /**
- * Takes an encrypted string representing a password provided by
- * the CAS ClearPass service and decrypts it using the private
- * key configured for this extension. Returns null if it is
- * unable to decrypt the password.
- *
- * @param encryptedPassword
- * A string with the encrypted password provided by the
- * CAS service.
- *
- * @return
- * The decrypted password, or null if it is unable to
- * decrypt the password.
- *
- * @throws GuacamoleException
- * If unable to get Guacamole configuration data
- */
- private final String decryptPassword(String encryptedPassword)
- throws GuacamoleException {
-
- // If we get nothing, we return nothing.
- if (encryptedPassword == null || encryptedPassword.isEmpty()) {
- logger.warn("No or empty encrypted password, no password will be available.");
- return null;
- }
-
- final PrivateKey clearpassKey = confService.getClearpassKey();
- if (clearpassKey == null) {
- logger.warn("No private key available to decrypt password.");
- return null;
- }
-
- try {
-
- final Cipher cipher = Cipher.getInstance(clearpassKey.getAlgorithm());
-
- if (cipher == null)
- throw new GuacamoleServerException("Failed to initialize cipher object with private key.");
-
- // Initialize the Cipher in decrypt mode.
- cipher.init(Cipher.DECRYPT_MODE, clearpassKey);
-
- // Decode and decrypt, and return a new string.
- final byte[] pass64 = DatatypeConverter.parseBase64Binary(encryptedPassword);
- final byte[] cipherData = cipher.doFinal(pass64);
- return new String(cipherData);
-
- }
- catch (BadPaddingException e) {
- throw new GuacamoleServerException("Bad padding when decrypting cipher data.", e);
- }
- catch (IllegalBlockSizeException e) {
- throw new GuacamoleServerException("Illegal block size while opening private key.", e);
- }
- catch (InvalidKeyException e) {
- throw new GuacamoleServerException("Specified private key for ClearPass decryption is invalid.", e);
- }
- catch (NoSuchAlgorithmException e) {
- throw new GuacamoleServerException("Unexpected algorithm for the private key.", e);
- }
- catch (NoSuchPaddingException e) {
- throw new GuacamoleServerException("No such padding tryingto initialize cipher with private key.", e);
- }
-
- }
-
}
http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/62fafcb3/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/ticket/TicketValidationService.java
----------------------------------------------------------------------
diff --git a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/ticket/TicketValidationService.java b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/ticket/TicketValidationService.java
index 96da6ff..0162801 100644
--- a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/ticket/TicketValidationService.java
+++ b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/ticket/TicketValidationService.java
@@ -20,14 +20,24 @@
package org.apache.guacamole.auth.cas.ticket;
import com.google.inject.Inject;
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
+import javax.crypto.BadPaddingException;
+import javax.crypto.Cipher;
+import javax.crypto.IllegalBlockSizeException;
+import javax.crypto.NoSuchPaddingException;
+import javax.xml.bind.DatatypeConverter;
import org.apache.guacamole.GuacamoleException;
-import org.apache.guacamole.GuacamoleSecurityException;
import org.apache.guacamole.GuacamoleServerException;
import org.apache.guacamole.auth.cas.conf.ConfigurationService;
+import org.apache.guacamole.net.auth.Credentials;
import org.jasig.cas.client.authentication.AttributePrincipal;
import org.jasig.cas.client.validation.Assertion;
import org.jasig.cas.client.validation.Cas20ProxyTicketValidator;
import org.jasig.cas.client.validation.TicketValidationException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
/**
* Service for validating ID tickets forwarded to us by the client, verifying
@@ -36,13 +46,18 @@ import org.jasig.cas.client.validation.TicketValidationException;
public class TicketValidationService {
/**
+ * Logger for this class.
+ */
+ private static final Logger logger = LoggerFactory.getLogger(TicketValidationService.class);
+
+ /**
* Service for retrieving CAS configuration information.
*/
@Inject
private ConfigurationService confService;
/**
- * Validates and parses the given ID ticket, returning the AttributePrincipal
+ * Validates and parses the given ID ticket, returning the Credentials object
* derived from the parameters provided by the CAS server in the ticket. If the
* ticket is invalid an exception is thrown.
*
@@ -50,13 +65,13 @@ public class TicketValidationService {
* The ID ticket to validate and parse.
*
* @return
- * The AttributePrincipal derived from parameters provided in the ticket.
+ * The Credentials object derived from parameters provided in the ticket.
*
* @throws GuacamoleException
* If the ID ticket is not valid or guacamole.properties could
* not be parsed.
*/
- public AttributePrincipal validateTicket(String ticket) throws GuacamoleException {
+ public Credentials validateTicket(String ticket) throws GuacamoleException {
// Retrieve the configured CAS URL, establish a ticket validator,
// and then attempt to validate the supplied ticket. If that succeeds,
@@ -65,9 +80,26 @@ public class TicketValidationService {
Cas20ProxyTicketValidator validator = new Cas20ProxyTicketValidator(casServerUrl);
validator.setAcceptAnyProxy(true);
try {
+ Credentials ticketCredentials = new Credentials();
String confRedirectURI = confService.getRedirectURI();
Assertion a = validator.validate(ticket, confRedirectURI);
- return a.getPrincipal();
+ AttributePrincipal principal = a.getPrincipal();
+
+ // Retrieve username and set the credentials.
+ String username = principal.getName();
+ if (username != null)
+ ticketCredentials.setUsername(username);
+
+ // Retrieve password, attempt decryption, and set credentials.
+ Object credObj = principal.getAttributes().get("credential");
+ if (credObj != null) {
+ String clearPass = decryptPassword(credObj.toString());
+ if (clearPass != null && !clearPass.isEmpty())
+ ticketCredentials.setPassword(clearPass);
+ }
+
+ return ticketCredentials;
+
}
catch (TicketValidationException e) {
throw new GuacamoleException("Ticket validation failed.", e);
@@ -75,4 +107,70 @@ public class TicketValidationService {
}
+ /**
+ * Takes an encrypted string representing a password provided by
+ * the CAS ClearPass service and decrypts it using the private
+ * key configured for this extension. Returns null if it is
+ * unable to decrypt the password.
+ *
+ * @param encryptedPassword
+ * A string with the encrypted password provided by the
+ * CAS service.
+ *
+ * @return
+ * The decrypted password, or null if it is unable to
+ * decrypt the password.
+ *
+ * @throws GuacamoleException
+ * If unable to get Guacamole configuration data
+ */
+ private final String decryptPassword(String encryptedPassword)
+ throws GuacamoleException {
+
+ // If we get nothing, we return nothing.
+ if (encryptedPassword == null || encryptedPassword.isEmpty()) {
+ logger.warn("No or empty encrypted password, no password will be available.");
+ return null;
+ }
+
+ final PrivateKey clearpassKey = confService.getClearpassKey();
+ if (clearpassKey == null) {
+ logger.warn("No private key available to decrypt password.");
+ return null;
+ }
+
+ try {
+
+ final Cipher cipher = Cipher.getInstance(clearpassKey.getAlgorithm());
+
+ if (cipher == null)
+ throw new GuacamoleServerException("Failed to initialize cipher object with private key.");
+
+ // Initialize the Cipher in decrypt mode.
+ cipher.init(Cipher.DECRYPT_MODE, clearpassKey);
+
+ // Decode and decrypt, and return a new string.
+ final byte[] pass64 = DatatypeConverter.parseBase64Binary(encryptedPassword);
+ final byte[] cipherData = cipher.doFinal(pass64);
+ return new String(cipherData);
+
+ }
+ catch (BadPaddingException e) {
+ throw new GuacamoleServerException("Bad padding when decrypting cipher data.", e);
+ }
+ catch (IllegalBlockSizeException e) {
+ throw new GuacamoleServerException("Illegal block size while opening private key.", e);
+ }
+ catch (InvalidKeyException e) {
+ throw new GuacamoleServerException("Specified private key for ClearPass decryption is invalid.", e);
+ }
+ catch (NoSuchAlgorithmException e) {
+ throw new GuacamoleServerException("Unexpected algorithm for the private key.", e);
+ }
+ catch (NoSuchPaddingException e) {
+ throw new GuacamoleServerException("No such padding tryingto initialize cipher with private key.", e);
+ }
+
+ }
+
}