GUACAMOLE-362: Add support for CAS ClearPass, parsing and decrypting the password and assigning it a token.

2025-09-06 13:17:41 +00:00 · 2017-08-16 11:58:26 -04:00
parent d955fbea1a
commit 1c4831dd51
4 changed files with 134 additions and 8 deletions
--- a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/AuthenticationProviderService.java
+++ b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/AuthenticationProviderService.java
@@ -21,11 +21,26 @@ package org.apache.guacamole.auth.cas;

 import com.google.inject.Inject;
 import com.google.inject.Provider;
+import java.io.BufferedInputStream;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileNotFoundException;
+import java.io.InputStream;
+import java.io.IOException;
+import java.security.InvalidKeyException;
+import java.security.KeyFactory;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
+import java.security.spec.KeySpec;
+import java.security.spec.PKCS8EncodedKeySpec;
 import java.util.Arrays;
 import java.util.Enumeration;
+import javax.crypto.Cipher;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpSession;
+import javax.xml.bind.DatatypeConverter;
 import org.apache.guacamole.GuacamoleException;
+import org.apache.guacamole.environment.LocalEnvironment;
 import org.apache.guacamole.form.Field;
 import org.apache.guacamole.net.auth.Credentials;
 import org.apache.guacamole.net.auth.credentials.CredentialsInfo;
@@ -34,6 +49,9 @@ import org.apache.guacamole.auth.cas.conf.ConfigurationService;
 import org.apache.guacamole.auth.cas.form.CASTicketField;
 import org.apache.guacamole.auth.cas.ticket.TicketValidationService;
 import org.apache.guacamole.auth.cas.user.AuthenticatedUser;
+import org.jasig.cas.client.authentication.AttributePrincipal;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;

 /**
 * Service providing convenience functions for the CAS AuthenticationProvider
@@ -41,6 +59,11 @@ import org.apache.guacamole.auth.cas.user.AuthenticatedUser;
 */
 public class AuthenticationProviderService {

+    /**
+     * Logger for this class.
+     */
+    private static final Logger logger = LoggerFactory.getLogger(AuthenticationProviderService.class);
+
    /**
     * Service for retrieving CAS configuration information.
     */
@@ -83,7 +106,13 @@ public class AuthenticationProviderService {
            String ticket = request.getParameter(CASTicketField.PARAMETER_NAME);
            if (ticket != null) {
                AuthenticatedUser authenticatedUser = authenticatedUserProvider.get();
-                authenticatedUser.init(ticketService.processUsername(ticket), credentials);
+                AttributePrincipal principal = ticketService.validateTicket(ticket);
+                String username = principal.getName();
+                credentials.setUsername(username);
+                String clearPass = decryptPassword(principal.getAttributes().get("credential").toString());
+                if (clearPass != null && !clearPass.isEmpty())
+                    credentials.setPassword(clearPass);
+                authenticatedUser.init(username, credentials);
                return authenticatedUser;
            }
        }
@@ -105,4 +134,76 @@ public class AuthenticationProviderService {

    }

+    /**
+     * Takes an encrypted string representing a password provided by
+     * the CAS ClearPass service and decrypts it using the private
+     * key configured for this extension.  Returns null if it is
+     * unable to decrypt the password.
+     *
+     * @param encryptedPassword
+     *     A string with the encrypted password provided by the
+     *     CAS service.
+     *
+     * @return
+     *     The decrypted password, or null if it is unable to
+     *     decrypt the password.
+     * @throws GuacamoleException
+     *     If unable to get Guacamole configuration data
+     */
+    private final String decryptPassword(String encryptedPassword)
+            throws GuacamoleException {
+
+        // If we get nothing, we return nothing.
+        if (encryptedPassword == null || encryptedPassword.isEmpty())
+            return null;
+
+        try {
+
+            // Open and read the file specified in the configuration.
+            File keyFile = new File(new LocalEnvironment().getGuacamoleHome(), confService.getClearpassKey().toString());
+            InputStream keyInput = new BufferedInputStream(new FileInputStream(keyFile));
+            final byte[] keyBytes = new byte[(int) keyFile.length()];
+            keyInput.read(keyBytes);
+            keyInput.close();
+      
+            // Set up decryption infrastructure
+            KeyFactory keyFactory = KeyFactory.getInstance("RSA");
+            KeySpec keySpec = new PKCS8EncodedKeySpec(keyBytes); 
+            final PrivateKey privateKey = keyFactory.generatePrivate(keySpec);
+            final Cipher cipher = Cipher.getInstance(privateKey.getAlgorithm());
+            final byte[] pass64 = DatatypeConverter.parseBase64Binary(encryptedPassword);
+            cipher.init(Cipher.DECRYPT_MODE, privateKey);
+
+            // Decrypt and return a new string.
+            final byte[] cipherData = cipher.doFinal(pass64);
+            return new String(cipherData);
+        }
+        catch (FileNotFoundException e) {
+            logger.error("ClearPass key file not found, password will not be decrypted.");
+            logger.debug("Error locating the ClearPass key file: {}", e.getMessage());
+            return null;
+        }
+        catch (IOException e) {
+            logger.error("Error reading ClearPass key file, password will not be decrypted.");
+            logger.debug("Error reading the ClearPass key file: {}", e.getMessage());
+            return null;
+        }
+        catch (NoSuchAlgorithmException e) {
+            logger.error("Unable to find the specified algorithm, password will not be decrypted.");
+            logger.debug("Algorithm was not found: {}", e.getMessage());
+            return null;
+        }
+        catch (InvalidKeyException e) {
+            logger.error("Invalid key was loaded, password will not be decrypted.");
+            logger.debug("The loaded key was invalid: {}", e.getMessage());
+            return null;
+        }
+        catch (Throwable t) {
+            logger.error("Error decrypting password, it will not be available as a token.");
+            logger.debug("Error in one of the components to decrypt the password: {}", t.getMessage());
+            return null;
+        }
+
+    }
+
 }
--- a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/CASGuacamoleProperties.java
+++ b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/CASGuacamoleProperties.java
@@ -19,6 +19,7 @@

 package org.apache.guacamole.auth.cas.conf;

+import org.apache.guacamole.properties.FileGuacamoleProperty;
 import org.apache.guacamole.properties.StringGuacamoleProperty;

 /**
@@ -57,4 +58,16 @@ public class CASGuacamoleProperties {

    };

+    /**
+     * The location of the private key file used to retrieve the
+     * password if CAS is configured to support ClearPass.
+     */
+    public static final FileGuacamoleProperty CAS_CLEARPASS_KEY =
+            new FileGuacamoleProperty() {
+
+        @Override
+        public String getName() { return "cas-clearpass-key"; }
+
+    };
+
 }
--- a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/ConfigurationService.java
+++ b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/ConfigurationService.java
@@ -20,6 +20,7 @@
 package org.apache.guacamole.auth.cas.conf;

 import com.google.inject.Inject;
+import java.io.File;
 import org.apache.guacamole.GuacamoleException;
 import org.apache.guacamole.environment.Environment;

@@ -68,4 +69,20 @@ public class ConfigurationService {
        return environment.getRequiredProperty(CASGuacamoleProperties.CAS_REDIRECT_URI);
    }

+    /**
+     * Returns the path to the file that contains the private key
+     * used to decrypt the credential that is sent encrypted by CAS,
+     * or null if no key is defined.
+     *
+     * @return
+     *     The path to the private key to decrypt the ClearPass
+     *     credential returned by CAS.
+     *
+     * @throws GuacamoleException
+     *     If guacamole.properties cannot be parsed.
+     */
+    public File getClearpassKey() throws GuacamoleException {
+        return environment.getProperty(CASGuacamoleProperties.CAS_CLEARPASS_KEY);
+    }
+
 }
--- a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/ticket/TicketValidationService.java
+++ b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/ticket/TicketValidationService.java
@@ -57,9 +57,7 @@ public class TicketValidationService {
     *     If the ID ticket is not valid, the username claim type is missing, or
     *     guacamole.properties could not be parsed.
     */
-    public String processUsername(String ticket) throws GuacamoleException {
-
-        AttributePrincipal principal = null;
+    public AttributePrincipal validateTicket(String ticket) throws GuacamoleException {

        // Retrieve the configured CAS URL, establish a ticket validator,
        // and then attempt to validate the supplied ticket.  If that succeeds,
@@ -70,15 +68,12 @@ public class TicketValidationService {
        try {
            String confRedirectURI = confService.getRedirectURI();
            Assertion a = validator.validate(ticket, confRedirectURI);
-            principal = a.getPrincipal();
+            return a.getPrincipal();
        } 
        catch (TicketValidationException e) {
            throw new GuacamoleException("Ticket validation failed.", e);
        }

-        // Return the principal name as the username.
-        return principal.getName();
-
    }

 }