GUACAMOLE-362: Merge support for CAS ClearPass.

extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/AuthenticationProviderService.java

@@ -22,11 +22,10 @@ package org.apache.guacamole.auth.cas;
 import com.google.inject.Inject;
 import com.google.inject.Provider;
 import java.util.Arrays;
-import java.util.Enumeration;
 import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpSession;
-import org.apache.guacamole.GuacamoleException;
+import org.apache.guacamole.environment.Environment;
 import org.apache.guacamole.form.Field;
+import org.apache.guacamole.GuacamoleException;
 import org.apache.guacamole.net.auth.Credentials;
 import org.apache.guacamole.net.auth.credentials.CredentialsInfo;
 import org.apache.guacamole.net.auth.credentials.GuacamoleInsufficientCredentialsException;
@@ -47,6 +46,12 @@ public class AuthenticationProviderService {
     @Inject
     private ConfigurationService confService;
 
+    /**
+     * The Guacamole server environment.
+     */
+    @Inject
+    private Environment environment;
+
     /**
      * Service for validating received ID tickets.
      */
@@ -82,11 +87,14 @@ public class AuthenticationProviderService {
         if (request != null) {
             String ticket = request.getParameter(CASTicketField.PARAMETER_NAME);
             if (ticket != null) {
+                String username = ticketService.validateTicket(ticket, credentials);
+                if (username != null) {
                     AuthenticatedUser authenticatedUser = authenticatedUserProvider.get();
-                authenticatedUser.init(ticketService.processUsername(ticket), credentials);
+                    authenticatedUser.init(username, credentials);
                     return authenticatedUser;
                 }
             }
+        }
 
         // Request CAS ticket
         throw new GuacamoleInsufficientCredentialsException(

extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/CASGuacamoleProperties.java

@@ -57,4 +57,16 @@ public class CASGuacamoleProperties {
 
     };
 
+    /**
+     * The location of the private key file used to retrieve the
+     * password if CAS is configured to support ClearPass.
+     */
+    public static final PrivateKeyGuacamoleProperty CAS_CLEARPASS_KEY =
+            new PrivateKeyGuacamoleProperty() {
+
+        @Override
+        public String getName() { return "cas-clearpass-key"; }
+
+    };
+
 }

extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/ConfigurationService.java

@@ -20,6 +20,8 @@
 package org.apache.guacamole.auth.cas.conf;
 
 import com.google.inject.Inject;
+import java.io.File;
+import java.security.PrivateKey;
 import org.apache.guacamole.GuacamoleException;
 import org.apache.guacamole.environment.Environment;
 
@@ -68,4 +70,19 @@ public class ConfigurationService {
         return environment.getRequiredProperty(CASGuacamoleProperties.CAS_REDIRECT_URI);
     }
 
+    /**
+     * Returns the PrivateKey used to decrypt the credential object
+     * sent encrypted by CAS, or null if no key is defined.
+     *
+     * @return
+     *     The PrivateKey used to decrypt the ClearPass
+     *     credential returned by CAS.
+     *
+     * @throws GuacamoleException
+     *     If guacamole.properties cannot be parsed.
+     */
+    public PrivateKey getClearpassKey() throws GuacamoleException {
+        return environment.getProperty(CASGuacamoleProperties.CAS_CLEARPASS_KEY);
+    }
+
 }

extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/PrivateKeyGuacamoleProperty.java

@@ -0,0 +1,86 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.auth.cas.conf;
+
+import java.io.ByteArrayOutputStream;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileNotFoundException;
+import java.io.InputStream;
+import java.io.IOException;
+import java.lang.IllegalArgumentException;
+import java.security.InvalidKeyException;
+import java.security.KeyFactory;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.KeySpec;
+import java.security.spec.PKCS8EncodedKeySpec;
+import org.apache.guacamole.properties.GuacamoleProperty;
+import org.apache.guacamole.GuacamoleServerException;
+import org.apache.guacamole.environment.Environment;
+import org.apache.guacamole.environment.LocalEnvironment;
+
+/**
+ * A GuacamoleProperty whose value is derived from a private key file.
+ */
+public abstract class PrivateKeyGuacamoleProperty implements GuacamoleProperty<PrivateKey>  {
+
+    @Override
+    public PrivateKey parseValue(String value) throws GuacamoleServerException {
+
+        if (value == null || value.isEmpty())
+            return null;
+
+        try {
+
+            // Open and read the file specified in the configuration.
+            File keyFile = new File(value);
+            FileInputStream keyStreamIn = new FileInputStream(keyFile);
+            ByteArrayOutputStream keyStreamOut = new ByteArrayOutputStream();
+            byte[] keyBuffer = new byte[1024];
+
+            for (int readBytes; (readBytes = keyStreamIn.read(keyBuffer)) != -1;)
+                keyStreamOut.write(keyBuffer, 0, readBytes);
+
+            final byte[] keyBytes = keyStreamOut.toByteArray();
+
+            // Set up decryption infrastructure
+            KeyFactory keyFactory = KeyFactory.getInstance("RSA");
+            KeySpec keySpec = new PKCS8EncodedKeySpec(keyBytes);
+            return keyFactory.generatePrivate(keySpec);
+
+        }
+        catch (FileNotFoundException e) {
+            throw new GuacamoleServerException("Could not find the specified key file.", e);
+        }
+        catch (IOException e) {
+            throw new GuacamoleServerException("Could not read in the specified key file.", e);
+        }
+        catch (NoSuchAlgorithmException e) {
+            throw new GuacamoleServerException("RSA algorithm is not available.", e);
+        }
+        catch (InvalidKeySpecException e) {
+            throw new GuacamoleServerException("Key is not in expected PKCS8 encoding.", e);
+        }
+
+    }
+
+}

extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/ticket/TicketValidationService.java

@@ -20,14 +20,25 @@
 package org.apache.guacamole.auth.cas.ticket;
 
 import com.google.inject.Inject;
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
+import javax.crypto.BadPaddingException;
+import javax.crypto.Cipher;
+import javax.crypto.IllegalBlockSizeException;
+import javax.crypto.NoSuchPaddingException;
+import java.nio.charset.Charset;
+import javax.xml.bind.DatatypeConverter;
 import org.apache.guacamole.GuacamoleException;
-import org.apache.guacamole.GuacamoleSecurityException;
 import org.apache.guacamole.GuacamoleServerException;
 import org.apache.guacamole.auth.cas.conf.ConfigurationService;
+import org.apache.guacamole.net.auth.Credentials;
 import org.jasig.cas.client.authentication.AttributePrincipal;
 import org.jasig.cas.client.validation.Assertion;
 import org.jasig.cas.client.validation.Cas20ProxyTicketValidator;
 import org.jasig.cas.client.validation.TicketValidationException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 /**
  * Service for validating ID tickets forwarded to us by the client, verifying
@@ -35,6 +46,11 @@ import org.jasig.cas.client.validation.TicketValidationException;
  */
 public class TicketValidationService {
 
+    /**
+     * Logger for this class.
+     */
+    private static final Logger logger = LoggerFactory.getLogger(TicketValidationService.class);
+
     /**
      * Service for retrieving CAS configuration information.
      */
@@ -42,24 +58,25 @@ public class TicketValidationService {
     private ConfigurationService confService;
 
     /**
-     * Validates and parses the given ID ticket, returning the username contained
-     * therein, as defined by the username claim type given in
-     * guacamole.properties. If the username claim type is missing or the ID
-     * ticket is invalid, an exception is thrown instead.
+     * Validates and parses the given ID ticket, returning the username
+     * provided by the CAS server in the ticket.  If the
+     * ticket is invalid an exception is thrown.
      *
      * @param ticket
      *     The ID ticket to validate and parse.
      *
+     * @param credentials
+     *     The Credentials object to store retrieved username and
+     *     password values in.
+     *
      * @return
-     *     The username contained within the given ID ticket.
+     *     The username derived from the ticket.
      *
      * @throws GuacamoleException
-     *     If the ID ticket is not valid, the username claim type is missing, or
-     *     guacamole.properties could not be parsed.
+     *     If the ID ticket is not valid or guacamole.properties could
+     *     not be parsed.
      */
-    public String processUsername(String ticket) throws GuacamoleException {
-
-        AttributePrincipal principal = null;
+    public String validateTicket(String ticket, Credentials credentials) throws GuacamoleException {
 
         // Retrieve the configured CAS URL, establish a ticket validator,
         // and then attempt to validate the supplied ticket.  If that succeeds,
@@ -67,17 +84,97 @@ public class TicketValidationService {
         String casServerUrl = confService.getAuthorizationEndpoint();
         Cas20ProxyTicketValidator validator = new Cas20ProxyTicketValidator(casServerUrl);
         validator.setAcceptAnyProxy(true);
+        validator.setEncoding("UTF-8");
         try {
             String confRedirectURI = confService.getRedirectURI();
             Assertion a = validator.validate(ticket, confRedirectURI);
-            principal = a.getPrincipal();
+            AttributePrincipal principal =  a.getPrincipal();
+
+            // Retrieve username and set the credentials.
+            String username = principal.getName();
+            if (username != null)
+                credentials.setUsername(username);
+
+            // Retrieve password, attempt decryption, and set credentials.
+            Object credObj = principal.getAttributes().get("credential");
+            if (credObj != null) {
+                String clearPass = decryptPassword(credObj.toString());
+                if (clearPass != null && !clearPass.isEmpty())
+                    credentials.setPassword(clearPass);
+            }
+
+            return username;
+
         } 
         catch (TicketValidationException e) {
             throw new GuacamoleException("Ticket validation failed.", e);
         }
 
-        // Return the principal name as the username.
-        return principal.getName();
+    }
+
+    /**
+     * Takes an encrypted string representing a password provided by
+     * the CAS ClearPass service and decrypts it using the private
+     * key configured for this extension.  Returns null if it is
+     * unable to decrypt the password.
+     *
+     * @param encryptedPassword
+     *     A string with the encrypted password provided by the
+     *     CAS service.
+     *
+     * @return
+     *     The decrypted password, or null if it is unable to
+     *     decrypt the password.
+     *
+     * @throws GuacamoleException
+     *     If unable to get Guacamole configuration data
+     */
+    private final String decryptPassword(String encryptedPassword)
+            throws GuacamoleException {
+
+        // If we get nothing, we return nothing.
+        if (encryptedPassword == null || encryptedPassword.isEmpty()) {
+            logger.warn("No or empty encrypted password, no password will be available.");
+            return null;
+        }
+
+        final PrivateKey clearpassKey = confService.getClearpassKey();
+        if (clearpassKey == null) {
+            logger.debug("No private key available to decrypt password.");
+            return null;
+        }
+
+        try {
+
+            final Cipher cipher = Cipher.getInstance(clearpassKey.getAlgorithm());
+
+            if (cipher == null)
+                throw new GuacamoleServerException("Failed to initialize cipher object with private key.");
+
+            // Initialize the Cipher in decrypt mode.
+            cipher.init(Cipher.DECRYPT_MODE, clearpassKey);
+
+            // Decode and decrypt, and return a new string.
+            final byte[] pass64 = DatatypeConverter.parseBase64Binary(encryptedPassword);
+            final byte[] cipherData = cipher.doFinal(pass64);
+            return new String(cipherData, Charset.forName("UTF-8"));
+
+        }
+        catch (BadPaddingException e) {
+            throw new GuacamoleServerException("Bad padding when decrypting cipher data.", e);
+        }
+        catch (IllegalBlockSizeException e) {
+            throw new GuacamoleServerException("Illegal block size while opening private key.", e);
+        }
+        catch (InvalidKeyException e) {
+            throw new GuacamoleServerException("Specified private key for ClearPass decryption is invalid.", e);
+        }
+        catch (NoSuchAlgorithmException e) {
+            throw new GuacamoleServerException("Unexpected algorithm for the private key.", e);
+        }
+        catch (NoSuchPaddingException e) {
+            throw new GuacamoleServerException("No such padding trying to initialize cipher with private key.", e);
+        }
 
     }