safebox/guacamole-client
4
0
Fork 0
mirror of https://github.com/gyurix1968/guacamole-client.git synced 2025-09-06 21:27:40 +00:00
Code Issues Packages Projects Releases Wiki Activity

GUACAMOLE-362: Move password decryption logic into TicketValidationService class.

Browse Source
This commit is contained in:
Nick Couchman
2017-09-27 11:13:51 -04:00
committed by Nick Couchman
parent 63134322b0
commit 62fafcb379
2 changed files with 113 additions and 109 deletions
Download Patch File Download Diff File Expand all files Collapse all files

114
extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/AuthenticationProviderService.java
View File

@@ -21,32 +21,11 @@ package org.apache.guacamole.auth.cas;
import com.google.inject.Inject;
import com.google.inject.Provider;
import java.io.BufferedInputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.InputStream;
import java.io.IOException;
import java.lang.IllegalArgumentException;
import java.security.InvalidKeyException;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.spec.KeySpec;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.Arrays;
import java.util.Enumeration;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import javax.xml.bind.DatatypeConverter;
import org.apache.guacamole.environment.Environment;
import org.apache.guacamole.form.Field;
import org.apache.guacamole.GuacamoleException;
import org.apache.guacamole.GuacamoleServerException;
import org.apache.guacamole.net.auth.Credentials;
import org.apache.guacamole.net.auth.credentials.CredentialsInfo;
import org.apache.guacamole.net.auth.credentials.GuacamoleInsufficientCredentialsException;
@@ -54,9 +33,6 @@ import org.apache.guacamole.auth.cas.conf.ConfigurationService;
import org.apache.guacamole.auth.cas.form.CASTicketField;
import org.apache.guacamole.auth.cas.ticket.TicketValidationService;
import org.apache.guacamole.auth.cas.user.AuthenticatedUser;
import org.jasig.cas.client.authentication.AttributePrincipal;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
* Service providing convenience functions for the CAS AuthenticationProvider
@@ -64,11 +40,6 @@ import org.slf4j.LoggerFactory;
*/
public class AuthenticationProviderService {
/**
* Logger for this class.
*/
private static final Logger logger = LoggerFactory.getLogger(AuthenticationProviderService.class);
/**
* Service for retrieving CAS configuration information.
*/
@@ -116,16 +87,17 @@ public class AuthenticationProviderService {
if (request != null) {
String ticket = request.getParameter(CASTicketField.PARAMETER_NAME);
if (ticket != null) {
AuthenticatedUser authenticatedUser = authenticatedUserProvider.get();
AttributePrincipal principal = ticketService.validateTicket(ticket);
String username = principal.getName();
Object credObj = principal.getAttributes().get("credential");
if (credObj != null) {
String clearPass = decryptPassword(credObj.toString());
if (clearPass != null && !clearPass.isEmpty())
credentials.setPassword(clearPass);
Credentials ticketCredentials = ticketService.validateTicket(ticket);
if (ticketCredentials != null) {
String username = ticketCredentials.getUsername();
if (username != null)
credentials.setUsername(username);
String password = ticketCredentials.getPassword();
if (password != null)
credentials.setPassword(password);
}
authenticatedUser.init(username, credentials);
AuthenticatedUser authenticatedUser = authenticatedUserProvider.get();
authenticatedUser.init(credentials.getUsername(), credentials);
return authenticatedUser;
}
}
@@ -147,70 +119,4 @@ public class AuthenticationProviderService {
}
/**
* Takes an encrypted string representing a password provided by
* the CAS ClearPass service and decrypts it using the private
* key configured for this extension. Returns null if it is
* unable to decrypt the password.
*
* @param encryptedPassword
* A string with the encrypted password provided by the
* CAS service.
*
* @return
* The decrypted password, or null if it is unable to
* decrypt the password.
*
* @throws GuacamoleException
* If unable to get Guacamole configuration data
*/
private final String decryptPassword(String encryptedPassword)
throws GuacamoleException {
// If we get nothing, we return nothing.
if (encryptedPassword == null || encryptedPassword.isEmpty()) {
logger.warn("No or empty encrypted password, no password will be available.");
return null;
}
final PrivateKey clearpassKey = confService.getClearpassKey();
if (clearpassKey == null) {
logger.warn("No private key available to decrypt password.");
return null;
}
try {
final Cipher cipher = Cipher.getInstance(clearpassKey.getAlgorithm());
if (cipher == null)
throw new GuacamoleServerException("Failed to initialize cipher object with private key.");
// Initialize the Cipher in decrypt mode.
cipher.init(Cipher.DECRYPT_MODE, clearpassKey);
// Decode and decrypt, and return a new string.
final byte[] pass64 = DatatypeConverter.parseBase64Binary(encryptedPassword);
final byte[] cipherData = cipher.doFinal(pass64);
return new String(cipherData);
}
catch (BadPaddingException e) {
throw new GuacamoleServerException("Bad padding when decrypting cipher data.", e);
}
catch (IllegalBlockSizeException e) {
throw new GuacamoleServerException("Illegal block size while opening private key.", e);
}
catch (InvalidKeyException e) {
throw new GuacamoleServerException("Specified private key for ClearPass decryption is invalid.", e);
}
catch (NoSuchAlgorithmException e) {
throw new GuacamoleServerException("Unexpected algorithm for the private key.", e);
}
catch (NoSuchPaddingException e) {
throw new GuacamoleServerException("No such padding tryingto initialize cipher with private key.", e);
}
}
}

108
extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/ticket/TicketValidationService.java
View File

@@ -20,14 +20,24 @@
package org.apache.guacamole.auth.cas.ticket;
import com.google.inject.Inject;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.xml.bind.DatatypeConverter;
import org.apache.guacamole.GuacamoleException;
import org.apache.guacamole.GuacamoleSecurityException;
import org.apache.guacamole.GuacamoleServerException;
import org.apache.guacamole.auth.cas.conf.ConfigurationService;
import org.apache.guacamole.net.auth.Credentials;
import org.jasig.cas.client.authentication.AttributePrincipal;
import org.jasig.cas.client.validation.Assertion;
import org.jasig.cas.client.validation.Cas20ProxyTicketValidator;
import org.jasig.cas.client.validation.TicketValidationException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
* Service for validating ID tickets forwarded to us by the client, verifying
@@ -35,6 +45,11 @@ import org.jasig.cas.client.validation.TicketValidationException;
*/
public class TicketValidationService {
/**
* Logger for this class.
*/
private static final Logger logger = LoggerFactory.getLogger(TicketValidationService.class);
/**
* Service for retrieving CAS configuration information.
*/
@@ -42,7 +57,7 @@ public class TicketValidationService {
private ConfigurationService confService;
/**
* Validates and parses the given ID ticket, returning the AttributePrincipal
* Validates and parses the given ID ticket, returning the Credentials object
* derived from the parameters provided by the CAS server in the ticket. If the
* ticket is invalid an exception is thrown.
*
@@ -50,13 +65,13 @@ public class TicketValidationService {
* The ID ticket to validate and parse.
*
* @return
* The AttributePrincipal derived from parameters provided in the ticket.
* The Credentials object derived from parameters provided in the ticket.
*
* @throws GuacamoleException
* If the ID ticket is not valid or guacamole.properties could
* not be parsed.
*/
public AttributePrincipal validateTicket(String ticket) throws GuacamoleException {
public Credentials validateTicket(String ticket) throws GuacamoleException {
// Retrieve the configured CAS URL, establish a ticket validator,
// and then attempt to validate the supplied ticket. If that succeeds,
@@ -65,9 +80,26 @@ public class TicketValidationService {
Cas20ProxyTicketValidator validator = new Cas20ProxyTicketValidator(casServerUrl);
validator.setAcceptAnyProxy(true);
try {
Credentials ticketCredentials = new Credentials();
String confRedirectURI = confService.getRedirectURI();
Assertion a = validator.validate(ticket, confRedirectURI);
return a.getPrincipal();
AttributePrincipal principal = a.getPrincipal();
// Retrieve username and set the credentials.
String username = principal.getName();
if (username != null)
ticketCredentials.setUsername(username);
// Retrieve password, attempt decryption, and set credentials.
Object credObj = principal.getAttributes().get("credential");
if (credObj != null) {
String clearPass = decryptPassword(credObj.toString());
if (clearPass != null && !clearPass.isEmpty())
ticketCredentials.setPassword(clearPass);
}
return ticketCredentials;
}
catch (TicketValidationException e) {
throw new GuacamoleException("Ticket validation failed.", e);
@@ -75,4 +107,70 @@ public class TicketValidationService {
}
/**
* Takes an encrypted string representing a password provided by
* the CAS ClearPass service and decrypts it using the private
* key configured for this extension. Returns null if it is
* unable to decrypt the password.
*
* @param encryptedPassword
* A string with the encrypted password provided by the
* CAS service.
*
* @return
* The decrypted password, or null if it is unable to
* decrypt the password.
*
* @throws GuacamoleException
* If unable to get Guacamole configuration data
*/
private final String decryptPassword(String encryptedPassword)
throws GuacamoleException {
// If we get nothing, we return nothing.
if (encryptedPassword == null || encryptedPassword.isEmpty()) {
logger.warn("No or empty encrypted password, no password will be available.");
return null;
}
final PrivateKey clearpassKey = confService.getClearpassKey();
if (clearpassKey == null) {
logger.warn("No private key available to decrypt password.");
return null;
}
try {
final Cipher cipher = Cipher.getInstance(clearpassKey.getAlgorithm());
if (cipher == null)
throw new GuacamoleServerException("Failed to initialize cipher object with private key.");
// Initialize the Cipher in decrypt mode.
cipher.init(Cipher.DECRYPT_MODE, clearpassKey);
// Decode and decrypt, and return a new string.
final byte[] pass64 = DatatypeConverter.parseBase64Binary(encryptedPassword);
final byte[] cipherData = cipher.doFinal(pass64);
return new String(cipherData);
}
catch (BadPaddingException e) {
throw new GuacamoleServerException("Bad padding when decrypting cipher data.", e);
}
catch (IllegalBlockSizeException e) {
throw new GuacamoleServerException("Illegal block size while opening private key.", e);
}
catch (InvalidKeyException e) {
throw new GuacamoleServerException("Specified private key for ClearPass decryption is invalid.", e);
}
catch (NoSuchAlgorithmException e) {
throw new GuacamoleServerException("Unexpected algorithm for the private key.", e);
}
catch (NoSuchPaddingException e) {
throw new GuacamoleServerException("No such padding tryingto initialize cipher with private key.", e);
}
}
}