GUACAMOLE-362: Move password decryption logic into TicketValidationService class.

2025-09-06 13:17:41 +00:00 · 2017-09-27 11:13:51 -04:00
parent 63134322b0
commit 62fafcb379
2 changed files with 113 additions and 109 deletions
--- a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/AuthenticationProviderService.java
+++ b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/AuthenticationProviderService.java
@@ -21,32 +21,11 @@ package org.apache.guacamole.auth.cas;
 import com.google.inject.Inject;
 import com.google.inject.Provider;
 import java.io.BufferedInputStream;
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.FileNotFoundException;
 import java.io.InputStream;
 import java.io.IOException;
 import java.lang.IllegalArgumentException;
 import java.security.InvalidKeyException;
 import java.security.KeyFactory;
 import java.security.NoSuchAlgorithmException;
 import java.security.PrivateKey;
 import java.security.spec.KeySpec;
 import java.security.spec.PKCS8EncodedKeySpec;
 import java.util.Arrays;
 import java.util.Enumeration;
 import javax.crypto.BadPaddingException;
 import javax.crypto.Cipher;
 import javax.crypto.IllegalBlockSizeException;
 import javax.crypto.NoSuchPaddingException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpSession;
 import javax.xml.bind.DatatypeConverter;
 import org.apache.guacamole.environment.Environment;
 import org.apache.guacamole.form.Field;
 import org.apache.guacamole.GuacamoleException;
 import org.apache.guacamole.GuacamoleServerException;
 import org.apache.guacamole.net.auth.Credentials;
 import org.apache.guacamole.net.auth.credentials.CredentialsInfo;
 import org.apache.guacamole.net.auth.credentials.GuacamoleInsufficientCredentialsException;
@@ -54,9 +33,6 @@ import org.apache.guacamole.auth.cas.conf.ConfigurationService;
 import org.apache.guacamole.auth.cas.form.CASTicketField;
 import org.apache.guacamole.auth.cas.ticket.TicketValidationService;
 import org.apache.guacamole.auth.cas.user.AuthenticatedUser;
 import org.jasig.cas.client.authentication.AttributePrincipal;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 /**
 * Service providing convenience functions for the CAS AuthenticationProvider
@@ -64,11 +40,6 @@ import org.slf4j.LoggerFactory;
 */
 public class AuthenticationProviderService {
    /**
     * Logger for this class.
     */
    private static final Logger logger = LoggerFactory.getLogger(AuthenticationProviderService.class);
    /**
     * Service for retrieving CAS configuration information.
     */
@@ -116,16 +87,17 @@ public class AuthenticationProviderService {
        if (request != null) {
            String ticket = request.getParameter(CASTicketField.PARAMETER_NAME);
            if (ticket != null) {
-                AuthenticatedUser authenticatedUser = authenticatedUserProvider.get();
+                Credentials ticketCredentials = ticketService.validateTicket(ticket);
-                AttributePrincipal principal = ticketService.validateTicket(ticket);
+                if (ticketCredentials != null) {
-                String username = principal.getName();
+                    String username = ticketCredentials.getUsername();
-                Object credObj = principal.getAttributes().get("credential");
+                    if (username != null)
-                if (credObj != null) {
+                        credentials.setUsername(username);
-                    String clearPass = decryptPassword(credObj.toString());
+                    String password = ticketCredentials.getPassword();
-                    if (clearPass != null && !clearPass.isEmpty())
+                    if (password != null)
-                        credentials.setPassword(clearPass);
+                        credentials.setPassword(password);
                }
-                authenticatedUser.init(username, credentials);
+                AuthenticatedUser authenticatedUser = authenticatedUserProvider.get();
                authenticatedUser.init(credentials.getUsername(), credentials);
                return authenticatedUser;
            }
        }
@@ -147,70 +119,4 @@ public class AuthenticationProviderService {
    }
    /**
     * Takes an encrypted string representing a password provided by
     * the CAS ClearPass service and decrypts it using the private
     * key configured for this extension.  Returns null if it is
     * unable to decrypt the password.
     *
     * @param encryptedPassword
     *     A string with the encrypted password provided by the
     *     CAS service.
     *
     * @return
     *     The decrypted password, or null if it is unable to
     *     decrypt the password.
     *
     * @throws GuacamoleException
     *     If unable to get Guacamole configuration data
     */
    private final String decryptPassword(String encryptedPassword)
            throws GuacamoleException {
        // If we get nothing, we return nothing.
        if (encryptedPassword == null || encryptedPassword.isEmpty()) {
            logger.warn("No or empty encrypted password, no password will be available.");
            return null;
        }
        final PrivateKey clearpassKey = confService.getClearpassKey();
        if (clearpassKey == null) {
            logger.warn("No private key available to decrypt password.");
            return null;
        }
        try {
            final Cipher cipher = Cipher.getInstance(clearpassKey.getAlgorithm());
            if (cipher == null)
                throw new GuacamoleServerException("Failed to initialize cipher object with private key.");
            // Initialize the Cipher in decrypt mode.
            cipher.init(Cipher.DECRYPT_MODE, clearpassKey);
            // Decode and decrypt, and return a new string.
            final byte[] pass64 = DatatypeConverter.parseBase64Binary(encryptedPassword);
            final byte[] cipherData = cipher.doFinal(pass64);
            return new String(cipherData);
        }
        catch (BadPaddingException e) {
            throw new GuacamoleServerException("Bad padding when decrypting cipher data.", e);
        }
        catch (IllegalBlockSizeException e) {
            throw new GuacamoleServerException("Illegal block size while opening private key.", e);
        }
        catch (InvalidKeyException e) {
            throw new GuacamoleServerException("Specified private key for ClearPass decryption is invalid.", e);
        }
        catch (NoSuchAlgorithmException e) {
            throw new GuacamoleServerException("Unexpected algorithm for the private key.", e);
        }
        catch (NoSuchPaddingException e) {
            throw new GuacamoleServerException("No such padding tryingto initialize cipher with private key.", e);
        }
    }
 }
--- a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/ticket/TicketValidationService.java
+++ b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/ticket/TicketValidationService.java
@@ -20,14 +20,24 @@
 package org.apache.guacamole.auth.cas.ticket;
 import com.google.inject.Inject;
 import java.security.InvalidKeyException;
 import java.security.NoSuchAlgorithmException;
 import java.security.PrivateKey;
 import javax.crypto.BadPaddingException;
 import javax.crypto.Cipher;
 import javax.crypto.IllegalBlockSizeException;
 import javax.crypto.NoSuchPaddingException;
 import javax.xml.bind.DatatypeConverter;
 import org.apache.guacamole.GuacamoleException;
 import org.apache.guacamole.GuacamoleSecurityException;
 import org.apache.guacamole.GuacamoleServerException;
 import org.apache.guacamole.auth.cas.conf.ConfigurationService;
 import org.apache.guacamole.net.auth.Credentials;
 import org.jasig.cas.client.authentication.AttributePrincipal;
 import org.jasig.cas.client.validation.Assertion;
 import org.jasig.cas.client.validation.Cas20ProxyTicketValidator;
 import org.jasig.cas.client.validation.TicketValidationException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 /**
 * Service for validating ID tickets forwarded to us by the client, verifying
@@ -35,6 +45,11 @@ import org.jasig.cas.client.validation.TicketValidationException;
 */
 public class TicketValidationService {
    /**
     * Logger for this class.
     */
    private static final Logger logger = LoggerFactory.getLogger(TicketValidationService.class);
    /**
     * Service for retrieving CAS configuration information.
     */
@@ -42,7 +57,7 @@ public class TicketValidationService {
    private ConfigurationService confService;
    /**
-     * Validates and parses the given ID ticket, returning the AttributePrincipal
+     * Validates and parses the given ID ticket, returning the Credentials object
     * derived from the parameters provided by the CAS server in the ticket.  If the
     * ticket is invalid an exception is thrown.
     *
@@ -50,13 +65,13 @@ public class TicketValidationService {
     *     The ID ticket to validate and parse.
     *
     * @return
-     *     The AttributePrincipal derived from parameters provided in the ticket.
+     *     The Credentials object derived from parameters provided in the ticket.
     *
     * @throws GuacamoleException
     *     If the ID ticket is not valid or guacamole.properties could
     *     not be parsed.
     */
-    public AttributePrincipal validateTicket(String ticket) throws GuacamoleException {
+    public Credentials validateTicket(String ticket) throws GuacamoleException {
        // Retrieve the configured CAS URL, establish a ticket validator,
        // and then attempt to validate the supplied ticket.  If that succeeds,
@@ -65,9 +80,26 @@ public class TicketValidationService {
        Cas20ProxyTicketValidator validator = new Cas20ProxyTicketValidator(casServerUrl);
        validator.setAcceptAnyProxy(true);
        try {
            Credentials ticketCredentials = new Credentials();
            String confRedirectURI = confService.getRedirectURI();
            Assertion a = validator.validate(ticket, confRedirectURI);
-            return a.getPrincipal();
+            AttributePrincipal principal =  a.getPrincipal();
            // Retrieve username and set the credentials.
            String username = principal.getName();
            if (username != null)
                ticketCredentials.setUsername(username);
            // Retrieve password, attempt decryption, and set credentials.
            Object credObj = principal.getAttributes().get("credential");
            if (credObj != null) {
                String clearPass = decryptPassword(credObj.toString());
                if (clearPass != null && !clearPass.isEmpty())
                    ticketCredentials.setPassword(clearPass);
            }
            return ticketCredentials;
        } 
        catch (TicketValidationException e) {
            throw new GuacamoleException("Ticket validation failed.", e);
@@ -75,4 +107,70 @@ public class TicketValidationService {
    }
    /**
     * Takes an encrypted string representing a password provided by
     * the CAS ClearPass service and decrypts it using the private
     * key configured for this extension.  Returns null if it is
     * unable to decrypt the password.
     *
     * @param encryptedPassword
     *     A string with the encrypted password provided by the
     *     CAS service.
     *
     * @return
     *     The decrypted password, or null if it is unable to
     *     decrypt the password.
     *
     * @throws GuacamoleException
     *     If unable to get Guacamole configuration data
     */
    private final String decryptPassword(String encryptedPassword)
            throws GuacamoleException {
        // If we get nothing, we return nothing.
        if (encryptedPassword == null || encryptedPassword.isEmpty()) {
            logger.warn("No or empty encrypted password, no password will be available.");
            return null;
        }
        final PrivateKey clearpassKey = confService.getClearpassKey();
        if (clearpassKey == null) {
            logger.warn("No private key available to decrypt password.");
            return null;
        }
        try {
            final Cipher cipher = Cipher.getInstance(clearpassKey.getAlgorithm());
            if (cipher == null)
                throw new GuacamoleServerException("Failed to initialize cipher object with private key.");
            // Initialize the Cipher in decrypt mode.
            cipher.init(Cipher.DECRYPT_MODE, clearpassKey);
            // Decode and decrypt, and return a new string.
            final byte[] pass64 = DatatypeConverter.parseBase64Binary(encryptedPassword);
            final byte[] cipherData = cipher.doFinal(pass64);
            return new String(cipherData);
        }
        catch (BadPaddingException e) {
            throw new GuacamoleServerException("Bad padding when decrypting cipher data.", e);
        }
        catch (IllegalBlockSizeException e) {
            throw new GuacamoleServerException("Illegal block size while opening private key.", e);
        }
        catch (InvalidKeyException e) {
            throw new GuacamoleServerException("Specified private key for ClearPass decryption is invalid.", e);
        }
        catch (NoSuchAlgorithmException e) {
            throw new GuacamoleServerException("Unexpected algorithm for the private key.", e);
        }
        catch (NoSuchPaddingException e) {
            throw new GuacamoleServerException("No such padding tryingto initialize cipher with private key.", e);
        }
    }
 }