Merge 1.1.0 changes back to master.

extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/AuthenticationProviderService.java

@@ -22,6 +22,7 @@ package org.apache.guacamole.auth.cas;
 import com.google.inject.Inject;
 import com.google.inject.Provider;
 import java.util.Arrays;
+import java.util.Map;
 import javax.servlet.http.HttpServletRequest;
 import org.apache.guacamole.form.Field;
 import org.apache.guacamole.GuacamoleException;
@@ -31,7 +32,7 @@ import org.apache.guacamole.net.auth.credentials.GuacamoleInvalidCredentialsExce
 import org.apache.guacamole.auth.cas.conf.ConfigurationService;
 import org.apache.guacamole.auth.cas.form.CASTicketField;
 import org.apache.guacamole.auth.cas.ticket.TicketValidationService;
-import org.apache.guacamole.auth.cas.user.AuthenticatedUser;
+import org.apache.guacamole.auth.cas.user.CASAuthenticatedUser;
 
 /**
  * Service providing convenience functions for the CAS AuthenticationProvider
@@ -55,7 +56,7 @@ public class AuthenticationProviderService {
      * Provider for AuthenticatedUser objects.
      */
     @Inject
-    private Provider<AuthenticatedUser> authenticatedUserProvider;
+    private Provider<CASAuthenticatedUser> authenticatedUserProvider;
 
     /**
      * Returns an AuthenticatedUser representing the user authenticated by the
@@ -65,14 +66,14 @@ public class AuthenticationProviderService {
      *     The credentials to use for authentication.
      *
      * @return
-     *     An AuthenticatedUser representing the user authenticated by the
+     *     A CASAuthenticatedUser representing the user authenticated by the
      *     given credentials.
      *
      * @throws GuacamoleException
      *     If an error occurs while authenticating the user, or if access is
      *     denied.
      */
-    public AuthenticatedUser authenticateUser(Credentials credentials)
+    public CASAuthenticatedUser authenticateUser(Credentials credentials)
             throws GuacamoleException {
 
         // Pull CAS ticket from request if present
@@ -80,10 +81,11 @@ public class AuthenticationProviderService {
         if (request != null) {
             String ticket = request.getParameter(CASTicketField.PARAMETER_NAME);
             if (ticket != null) {
-                String username = ticketService.validateTicket(ticket, credentials);
+                Map<String, String> tokens = ticketService.validateTicket(ticket, credentials);
+                String username = credentials.getUsername();
                 if (username != null) {
-                    AuthenticatedUser authenticatedUser = authenticatedUserProvider.get();
-                    authenticatedUser.init(username, credentials);
+                    CASAuthenticatedUser authenticatedUser = authenticatedUserProvider.get();
+                    authenticatedUser.init(username, credentials, tokens);
                     return authenticatedUser;
                 }
             }

extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/CASAuthenticationProvider.java

@@ -22,9 +22,12 @@ package org.apache.guacamole.auth.cas;
 import com.google.inject.Guice;
 import com.google.inject.Injector;
 import org.apache.guacamole.GuacamoleException;
+import org.apache.guacamole.auth.cas.user.CASAuthenticatedUser;
 import org.apache.guacamole.net.auth.AbstractAuthenticationProvider;
 import org.apache.guacamole.net.auth.AuthenticatedUser;
 import org.apache.guacamole.net.auth.Credentials;
+import org.apache.guacamole.net.auth.TokenInjectingUserContext;
+import org.apache.guacamole.net.auth.UserContext;
 
 /**
  * Guacamole authentication backend which authenticates users using an
@@ -71,5 +74,17 @@ public class CASAuthenticationProvider extends AbstractAuthenticationProvider {
         return authProviderService.authenticateUser(credentials);
 
     }
+    
+    @Override
+    public UserContext decorate(UserContext context,
+            AuthenticatedUser authenticatedUser, Credentials credentials)
+            throws GuacamoleException {
+        
+        if (!(authenticatedUser instanceof CASAuthenticatedUser))
+            return context;
+        
+        return new TokenInjectingUserContext(context,
+                ((CASAuthenticatedUser) authenticatedUser).getTokens());
+    }
 
 }

extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/ticket/TicketValidationService.java

@@ -30,12 +30,15 @@ import javax.crypto.Cipher;
 import javax.crypto.IllegalBlockSizeException;
 import javax.crypto.NoSuchPaddingException;
 import java.nio.charset.Charset;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Map.Entry;
 import org.apache.guacamole.GuacamoleException;
+import org.apache.guacamole.GuacamoleSecurityException;
 import org.apache.guacamole.GuacamoleServerException;
 import org.apache.guacamole.auth.cas.conf.ConfigurationService;
 import org.apache.guacamole.net.auth.Credentials;
-import org.apache.guacamole.net.auth.credentials.CredentialsInfo;
-import org.apache.guacamole.net.auth.credentials.GuacamoleInvalidCredentialsException;
+import org.apache.guacamole.token.TokenName;
 import org.jasig.cas.client.authentication.AttributePrincipal;
 import org.jasig.cas.client.validation.Assertion;
 import org.jasig.cas.client.validation.Cas20ProxyTicketValidator;
@@ -53,6 +56,11 @@ public class TicketValidationService {
      * Logger for this class.
      */
     private static final Logger logger = LoggerFactory.getLogger(TicketValidationService.class);
+    
+    /**
+     * The prefix to use when generating token names.
+     */
+    public static final String CAS_ATTRIBUTE_TOKEN_PREFIX = "CAS_";
 
     /**
      * Service for retrieving CAS configuration information.
@@ -61,9 +69,9 @@ public class TicketValidationService {
     private ConfigurationService confService;
 
     /**
-     * Validates and parses the given ID ticket, returning the username
-     * provided by the CAS server in the ticket.  If the
-     * ticket is invalid an exception is thrown.
+     * Validates and parses the given ID ticket, returning a map of all
+     * available tokens for the given user based on attributes provided by the
+     * CAS server.  If the ticket is invalid an exception is thrown.
      *
      * @param ticket
      *     The ID ticket to validate and parse.
@@ -73,13 +81,15 @@ public class TicketValidationService {
      *     password values in.
      *
      * @return
-     *     The username derived from the ticket.
+     *     A Map all of tokens for the user parsed from attributes returned
+     *     by the CAS server.
      *
      * @throws GuacamoleException
      *     If the ID ticket is not valid or guacamole.properties could
      *     not be parsed.
      */
-    public String validateTicket(String ticket, Credentials credentials) throws GuacamoleException {
+    public Map<String, String> validateTicket(String ticket,
+            Credentials credentials) throws GuacamoleException {
 
         // Retrieve the configured CAS URL, establish a ticket validator,
         // and then attempt to validate the supplied ticket.  If that succeeds,
@@ -89,33 +99,43 @@ public class TicketValidationService {
         validator.setAcceptAnyProxy(true);
         validator.setEncoding("UTF-8");
         try {
+            Map<String, String> tokens = new HashMap<>();
             URI confRedirectURI = confService.getRedirectURI();
             Assertion a = validator.validate(ticket, confRedirectURI.toString());
             AttributePrincipal principal =  a.getPrincipal();
+            Map<String, Object> ticketAttrs =
+                    new HashMap<>(principal.getAttributes());
 
             // Retrieve username and set the credentials.
             String username = principal.getName();
-            if (username != null)
-                credentials.setUsername(username);
+            if (username == null)
+                throw new GuacamoleSecurityException("No username provided by CAS.");
+            
+            credentials.setUsername(username);
 
             // Retrieve password, attempt decryption, and set credentials.
-            Object credObj = principal.getAttributes().get("credential");
+            Object credObj = ticketAttrs.remove("credential");
             if (credObj != null) {
                 String clearPass = decryptPassword(credObj.toString());
                 if (clearPass != null && !clearPass.isEmpty())
                     credentials.setPassword(clearPass);
             }
+            
+            // Convert remaining attributes that have values to Strings
+            for (Entry <String, Object> attr : ticketAttrs.entrySet()) {
+                String tokenName = TokenName.canonicalize(attr.getKey(),
+                        CAS_ATTRIBUTE_TOKEN_PREFIX);
+                Object value = attr.getValue();
+                if (value != null)
+                    tokens.put(tokenName, value.toString());
+            }
 
-            return username;
+            return tokens;
 
         } 
         catch (TicketValidationException e) {
             throw new GuacamoleException("Ticket validation failed.", e);
         }
-        catch (Throwable t) {
-            logger.error("Error validating ticket with CAS server: {}", t.getMessage());
-            throw new GuacamoleInvalidCredentialsException("CAS login failed.", CredentialsInfo.USERNAME_PASSWORD);
-        }
 
     }
 

extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/user/CASAuthenticatedUser.java

@@ -20,6 +20,8 @@
 package org.apache.guacamole.auth.cas.user;
 
 import com.google.inject.Inject;
+import java.util.Collections;
+import java.util.Map;
 import org.apache.guacamole.net.auth.AbstractAuthenticatedUser;
 import org.apache.guacamole.net.auth.AuthenticationProvider;
 import org.apache.guacamole.net.auth.Credentials;
@@ -29,7 +31,7 @@ import org.apache.guacamole.net.auth.Credentials;
  * username and particular set of credentials with the CAS authentication
  * provider.
  */
-public class AuthenticatedUser extends AbstractAuthenticatedUser {
+public class CASAuthenticatedUser extends AbstractAuthenticatedUser {
 
     /**
      * Reference to the authentication provider associated with this
@@ -42,10 +44,15 @@ public class AuthenticatedUser extends AbstractAuthenticatedUser {
      * The credentials provided when this user was authenticated.
      */
     private Credentials credentials;
+    
+    /**
+     * Tokens associated with this authenticated user.
+     */
+    private Map<String, String> tokens;
 
     /**
      * Initializes this AuthenticatedUser using the given username and
-     * credentials.
+     * credentials, and an empty map of parameter tokens.
      *
      * @param username
      *     The username of the user that was authenticated.
@@ -54,10 +61,42 @@ public class AuthenticatedUser extends AbstractAuthenticatedUser {
      *     The credentials provided when this user was authenticated.
      */
     public void init(String username, Credentials credentials) {
+        this.init(username, credentials, Collections.emptyMap());
+    }
+    
+    /**
+     * Initializes this AuthenticatedUser using the given username,
+     * credentials, and parameter tokens.
+     *
+     * @param username
+     *     The username of the user that was authenticated.
+     *
+     * @param credentials
+     *     The credentials provided when this user was authenticated.
+     * 
+     * @param tokens
+     *     A map of all the name/value pairs that should be available
+     *     as tokens when connections are established with this user.
+     */
+    public void init(String username, Credentials credentials,
+            Map<String, String> tokens) {
         this.credentials = credentials;
+        this.tokens = Collections.unmodifiableMap(tokens);
         setIdentifier(username.toLowerCase());
     }
 
+    /**
+     * Returns a Map containing the name/value pairs that can be applied
+     * as parameter tokens when connections are established by the user.
+     * 
+     * @return
+     *     A Map containing all of the name/value pairs that can be
+     *     used as parameter tokens by this user.
+     */
+    public Map<String, String> getTokens() {
+        return tokens;
+    }
+
     @Override
     public AuthenticationProvider getAuthenticationProvider() {
         return authProvider;