GUACAMOLE-362: Implement new CipherGuacamoleProperty and move cipher functionality to it.

2025-09-06 05:07:41 +00:00 · 2017-08-27 20:34:46 -04:00
parent c3aaf0aa03
commit 36489ff403
4 changed files with 102 additions and 45 deletions
--- a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/AuthenticationProviderService.java
+++ b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/AuthenticationProviderService.java
@@ -37,6 +37,7 @@ import java.security.spec.PKCS8EncodedKeySpec;
 import java.util.Arrays;
 import java.util.Enumeration;
 import javax.crypto.Cipher;
+import javax.crypto.IllegalBlockSizeException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpSession;
 import javax.xml.bind.DatatypeConverter;
@@ -170,53 +171,16 @@ public class AuthenticationProviderService {

        try {

-            // Open and read the file specified in the configuration.
-            File keyFile = new File(environment.getGuacamoleHome(), confService.getClearpassKey().toString());
-            InputStream keyInput = new BufferedInputStream(new FileInputStream(keyFile));
-            final byte[] keyBytes = new byte[(int) keyFile.length()];
-            keyInput.read(keyBytes);
-            keyInput.close();
-      
-            // Set up decryption infrastructure
-            KeyFactory keyFactory = KeyFactory.getInstance("RSA");
-            KeySpec keySpec = new PKCS8EncodedKeySpec(keyBytes); 
-            final PrivateKey privateKey = keyFactory.generatePrivate(keySpec);
-            final Cipher cipher = Cipher.getInstance(privateKey.getAlgorithm());
-            final byte[] pass64 = DatatypeConverter.parseBase64Binary(encryptedPassword);
-            cipher.init(Cipher.DECRYPT_MODE, privateKey);
+            final Cipher cipher = confService.getClearpassCipher();

            // Decrypt and return a new string.
+            final byte[] pass64 = DatatypeConverter.parseBase64Binary(encryptedPassword);
            final byte[] cipherData = cipher.doFinal(pass64);
            return new String(cipherData);
        }
-        catch (FileNotFoundException e) {
-            logger.error("ClearPass key file not found, password will not be decrypted.");
-            logger.debug("Error locating the ClearPass key file: {}", e);
-            return null;
-        }
-        catch (IOException e) {
-            logger.error("Error reading ClearPass key file, password will not be decrypted.");
-            logger.debug("Error reading the ClearPass key file: {}", e);
-            return null;
-        }
-        catch (NoSuchAlgorithmException e) {
-            logger.error("Unable to find the specified algorithm, password will not be decrypted.");
-            logger.debug("Algorithm was not found: {}", e);
-            return null;
-        }
-        catch (InvalidKeyException e) {
-            logger.error("Invalid key was loaded, password will not be decrypted.");
-            logger.debug("The loaded key was invalid: {}", e);
-            return null;
-        }
-        catch (IllegalArgumentException e) {
-            logger.error("Failed to parse Base64 data, password will not be decrypted.");
-            logger.debug("Data received was not valid Base64 data, so decryption cannot continue: {}", e);
-            return null;
-        }
        catch (Throwable t) {
-            logger.error("Error decrypting password, it will not be available as a token.");
-            logger.debug("Error in one of the components to decrypt the password: {}", t);
+            logger.error("Failed to decrypt the data, password token will not be available.");
+            logger.debug("Failed to either convert Base64 or decrypt the password.  CAS Password will not be available inside Guacamole.  Exception is: {}", t);
            return null;
        }

--- a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/CASGuacamoleProperties.java
+++ b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/CASGuacamoleProperties.java
@@ -19,7 +19,7 @@

 package org.apache.guacamole.auth.cas.conf;

-import org.apache.guacamole.properties.FileGuacamoleProperty;
+import org.apache.guacamole.properties.CipherGuacamoleProperty;
 import org.apache.guacamole.properties.StringGuacamoleProperty;

 /**
@@ -62,8 +62,8 @@ public class CASGuacamoleProperties {
     * The location of the private key file used to retrieve the
     * password if CAS is configured to support ClearPass.
     */
-    public static final FileGuacamoleProperty CAS_CLEARPASS_KEY =
-            new FileGuacamoleProperty() {
+    public static final CipherGuacamoleProperty CAS_CLEARPASS_KEY =
+            new CipherGuacamoleProperty() {

        @Override
        public String getName() { return "cas-clearpass-key"; }
--- a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/ConfigurationService.java
+++ b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/ConfigurationService.java
@@ -21,6 +21,7 @@ package org.apache.guacamole.auth.cas.conf;

 import com.google.inject.Inject;
 import java.io.File;
+import javax.crypto.Cipher;
 import org.apache.guacamole.GuacamoleException;
 import org.apache.guacamole.environment.Environment;

@@ -81,7 +82,7 @@ public class ConfigurationService {
     * @throws GuacamoleException
     *     If guacamole.properties cannot be parsed.
     */
-    public File getClearpassKey() throws GuacamoleException {
+    public Cipher getClearpassCipher() throws GuacamoleException {
        return environment.getProperty(CASGuacamoleProperties.CAS_CLEARPASS_KEY);
    }