diff --git a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/AuthenticationProviderService.java b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/AuthenticationProviderService.java index f3870a6d8..a9b3230cc 100644 --- a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/AuthenticationProviderService.java +++ b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/AuthenticationProviderService.java @@ -22,11 +22,10 @@ package org.apache.guacamole.auth.cas; import com.google.inject.Inject; import com.google.inject.Provider; import java.util.Arrays; -import java.util.Enumeration; import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpSession; -import org.apache.guacamole.GuacamoleException; +import org.apache.guacamole.environment.Environment; import org.apache.guacamole.form.Field; +import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.net.auth.Credentials; import org.apache.guacamole.net.auth.credentials.CredentialsInfo; import org.apache.guacamole.net.auth.credentials.GuacamoleInsufficientCredentialsException; @@ -47,6 +46,12 @@ public class AuthenticationProviderService { @Inject private ConfigurationService confService; + /** + * The Guacamole server environment. + */ + @Inject + private Environment environment; + /** * Service for validating received ID tickets. */ @@ -82,9 +87,12 @@ public class AuthenticationProviderService { if (request != null) { String ticket = request.getParameter(CASTicketField.PARAMETER_NAME); if (ticket != null) { - AuthenticatedUser authenticatedUser = authenticatedUserProvider.get(); - authenticatedUser.init(ticketService.processUsername(ticket), credentials); - return authenticatedUser; + String username = ticketService.validateTicket(ticket, credentials); + if (username != null) { + AuthenticatedUser authenticatedUser = authenticatedUserProvider.get(); + authenticatedUser.init(username, credentials); + return authenticatedUser; + } } } diff --git a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/CASGuacamoleProperties.java b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/CASGuacamoleProperties.java index 00fb901a1..dd741a3f8 100644 --- a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/CASGuacamoleProperties.java +++ b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/CASGuacamoleProperties.java @@ -57,4 +57,16 @@ public class CASGuacamoleProperties { }; + /** + * The location of the private key file used to retrieve the + * password if CAS is configured to support ClearPass. + */ + public static final PrivateKeyGuacamoleProperty CAS_CLEARPASS_KEY = + new PrivateKeyGuacamoleProperty() { + + @Override + public String getName() { return "cas-clearpass-key"; } + + }; + } diff --git a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/ConfigurationService.java b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/ConfigurationService.java index 17be2d361..dee9c4d69 100644 --- a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/ConfigurationService.java +++ b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/ConfigurationService.java @@ -20,6 +20,8 @@ package org.apache.guacamole.auth.cas.conf; import com.google.inject.Inject; +import java.io.File; +import java.security.PrivateKey; import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.environment.Environment; @@ -68,4 +70,19 @@ public class ConfigurationService { return environment.getRequiredProperty(CASGuacamoleProperties.CAS_REDIRECT_URI); } + /** + * Returns the PrivateKey used to decrypt the credential object + * sent encrypted by CAS, or null if no key is defined. + * + * @return + * The PrivateKey used to decrypt the ClearPass + * credential returned by CAS. + * + * @throws GuacamoleException + * If guacamole.properties cannot be parsed. + */ + public PrivateKey getClearpassKey() throws GuacamoleException { + return environment.getProperty(CASGuacamoleProperties.CAS_CLEARPASS_KEY); + } + } diff --git a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/PrivateKeyGuacamoleProperty.java b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/PrivateKeyGuacamoleProperty.java new file mode 100644 index 000000000..bd0bd6956 --- /dev/null +++ b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/PrivateKeyGuacamoleProperty.java @@ -0,0 +1,86 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.guacamole.auth.cas.conf; + +import java.io.ByteArrayOutputStream; +import java.io.File; +import java.io.FileInputStream; +import java.io.FileNotFoundException; +import java.io.InputStream; +import java.io.IOException; +import java.lang.IllegalArgumentException; +import java.security.InvalidKeyException; +import java.security.KeyFactory; +import java.security.NoSuchAlgorithmException; +import java.security.PrivateKey; +import java.security.spec.InvalidKeySpecException; +import java.security.spec.KeySpec; +import java.security.spec.PKCS8EncodedKeySpec; +import org.apache.guacamole.properties.GuacamoleProperty; +import org.apache.guacamole.GuacamoleServerException; +import org.apache.guacamole.environment.Environment; +import org.apache.guacamole.environment.LocalEnvironment; + +/** + * A GuacamoleProperty whose value is derived from a private key file. + */ +public abstract class PrivateKeyGuacamoleProperty implements GuacamoleProperty { + + @Override + public PrivateKey parseValue(String value) throws GuacamoleServerException { + + if (value == null || value.isEmpty()) + return null; + + try { + + // Open and read the file specified in the configuration. + File keyFile = new File(value); + FileInputStream keyStreamIn = new FileInputStream(keyFile); + ByteArrayOutputStream keyStreamOut = new ByteArrayOutputStream(); + byte[] keyBuffer = new byte[1024]; + + for (int readBytes; (readBytes = keyStreamIn.read(keyBuffer)) != -1;) + keyStreamOut.write(keyBuffer, 0, readBytes); + + final byte[] keyBytes = keyStreamOut.toByteArray(); + + // Set up decryption infrastructure + KeyFactory keyFactory = KeyFactory.getInstance("RSA"); + KeySpec keySpec = new PKCS8EncodedKeySpec(keyBytes); + return keyFactory.generatePrivate(keySpec); + + } + catch (FileNotFoundException e) { + throw new GuacamoleServerException("Could not find the specified key file.", e); + } + catch (IOException e) { + throw new GuacamoleServerException("Could not read in the specified key file.", e); + } + catch (NoSuchAlgorithmException e) { + throw new GuacamoleServerException("RSA algorithm is not available.", e); + } + catch (InvalidKeySpecException e) { + throw new GuacamoleServerException("Key is not in expected PKCS8 encoding.", e); + } + + } + +} diff --git a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/ticket/TicketValidationService.java b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/ticket/TicketValidationService.java index 9644c684d..122059c6d 100644 --- a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/ticket/TicketValidationService.java +++ b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/ticket/TicketValidationService.java @@ -20,14 +20,25 @@ package org.apache.guacamole.auth.cas.ticket; import com.google.inject.Inject; +import java.security.InvalidKeyException; +import java.security.NoSuchAlgorithmException; +import java.security.PrivateKey; +import javax.crypto.BadPaddingException; +import javax.crypto.Cipher; +import javax.crypto.IllegalBlockSizeException; +import javax.crypto.NoSuchPaddingException; +import java.nio.charset.Charset; +import javax.xml.bind.DatatypeConverter; import org.apache.guacamole.GuacamoleException; -import org.apache.guacamole.GuacamoleSecurityException; import org.apache.guacamole.GuacamoleServerException; import org.apache.guacamole.auth.cas.conf.ConfigurationService; +import org.apache.guacamole.net.auth.Credentials; import org.jasig.cas.client.authentication.AttributePrincipal; import org.jasig.cas.client.validation.Assertion; import org.jasig.cas.client.validation.Cas20ProxyTicketValidator; import org.jasig.cas.client.validation.TicketValidationException; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; /** * Service for validating ID tickets forwarded to us by the client, verifying @@ -35,6 +46,11 @@ import org.jasig.cas.client.validation.TicketValidationException; */ public class TicketValidationService { + /** + * Logger for this class. + */ + private static final Logger logger = LoggerFactory.getLogger(TicketValidationService.class); + /** * Service for retrieving CAS configuration information. */ @@ -42,24 +58,25 @@ public class TicketValidationService { private ConfigurationService confService; /** - * Validates and parses the given ID ticket, returning the username contained - * therein, as defined by the username claim type given in - * guacamole.properties. If the username claim type is missing or the ID - * ticket is invalid, an exception is thrown instead. + * Validates and parses the given ID ticket, returning the username + * provided by the CAS server in the ticket. If the + * ticket is invalid an exception is thrown. * * @param ticket * The ID ticket to validate and parse. * + * @param credentials + * The Credentials object to store retrieved username and + * password values in. + * * @return - * The username contained within the given ID ticket. + * The username derived from the ticket. * * @throws GuacamoleException - * If the ID ticket is not valid, the username claim type is missing, or - * guacamole.properties could not be parsed. + * If the ID ticket is not valid or guacamole.properties could + * not be parsed. */ - public String processUsername(String ticket) throws GuacamoleException { - - AttributePrincipal principal = null; + public String validateTicket(String ticket, Credentials credentials) throws GuacamoleException { // Retrieve the configured CAS URL, establish a ticket validator, // and then attempt to validate the supplied ticket. If that succeeds, @@ -67,17 +84,97 @@ public class TicketValidationService { String casServerUrl = confService.getAuthorizationEndpoint(); Cas20ProxyTicketValidator validator = new Cas20ProxyTicketValidator(casServerUrl); validator.setAcceptAnyProxy(true); + validator.setEncoding("UTF-8"); try { String confRedirectURI = confService.getRedirectURI(); Assertion a = validator.validate(ticket, confRedirectURI); - principal = a.getPrincipal(); + AttributePrincipal principal = a.getPrincipal(); + + // Retrieve username and set the credentials. + String username = principal.getName(); + if (username != null) + credentials.setUsername(username); + + // Retrieve password, attempt decryption, and set credentials. + Object credObj = principal.getAttributes().get("credential"); + if (credObj != null) { + String clearPass = decryptPassword(credObj.toString()); + if (clearPass != null && !clearPass.isEmpty()) + credentials.setPassword(clearPass); + } + + return username; + } catch (TicketValidationException e) { throw new GuacamoleException("Ticket validation failed.", e); } - // Return the principal name as the username. - return principal.getName(); + } + + /** + * Takes an encrypted string representing a password provided by + * the CAS ClearPass service and decrypts it using the private + * key configured for this extension. Returns null if it is + * unable to decrypt the password. + * + * @param encryptedPassword + * A string with the encrypted password provided by the + * CAS service. + * + * @return + * The decrypted password, or null if it is unable to + * decrypt the password. + * + * @throws GuacamoleException + * If unable to get Guacamole configuration data + */ + private final String decryptPassword(String encryptedPassword) + throws GuacamoleException { + + // If we get nothing, we return nothing. + if (encryptedPassword == null || encryptedPassword.isEmpty()) { + logger.warn("No or empty encrypted password, no password will be available."); + return null; + } + + final PrivateKey clearpassKey = confService.getClearpassKey(); + if (clearpassKey == null) { + logger.debug("No private key available to decrypt password."); + return null; + } + + try { + + final Cipher cipher = Cipher.getInstance(clearpassKey.getAlgorithm()); + + if (cipher == null) + throw new GuacamoleServerException("Failed to initialize cipher object with private key."); + + // Initialize the Cipher in decrypt mode. + cipher.init(Cipher.DECRYPT_MODE, clearpassKey); + + // Decode and decrypt, and return a new string. + final byte[] pass64 = DatatypeConverter.parseBase64Binary(encryptedPassword); + final byte[] cipherData = cipher.doFinal(pass64); + return new String(cipherData, Charset.forName("UTF-8")); + + } + catch (BadPaddingException e) { + throw new GuacamoleServerException("Bad padding when decrypting cipher data.", e); + } + catch (IllegalBlockSizeException e) { + throw new GuacamoleServerException("Illegal block size while opening private key.", e); + } + catch (InvalidKeyException e) { + throw new GuacamoleServerException("Specified private key for ClearPass decryption is invalid.", e); + } + catch (NoSuchAlgorithmException e) { + throw new GuacamoleServerException("Unexpected algorithm for the private key.", e); + } + catch (NoSuchPaddingException e) { + throw new GuacamoleServerException("No such padding trying to initialize cipher with private key.", e); + } }