From 704c7b6d81a94b7f9ecd1cdfc3890b3a2d2940c6 Mon Sep 17 00:00:00 2001 From: Virtually Nick Date: Sun, 24 Mar 2019 15:53:53 -0400 Subject: [PATCH] GUACAMOLE-678: Use new URI property for existing configuration items. --- extensions/guacamole-auth-cas/pom.xml | 8 +++++ .../auth/cas/conf/CASGuacamoleProperties.java | 10 +++--- .../auth/cas/conf/ConfigurationService.java | 5 +-- .../auth/cas/form/CASTicketField.java | 34 ++++++------------- .../cas/ticket/TicketValidationService.java | 9 ++--- extensions/guacamole-auth-openid/pom.xml | 8 +++++ .../openid/conf/ConfigurationService.java | 20 ++++++----- .../auth/openid/form/TokenField.java | 33 +++++++----------- .../openid/token/TokenValidationService.java | 2 +- 9 files changed, 64 insertions(+), 65 deletions(-) diff --git a/extensions/guacamole-auth-cas/pom.xml b/extensions/guacamole-auth-cas/pom.xml index 60d1df300..3afabda3f 100644 --- a/extensions/guacamole-auth-cas/pom.xml +++ b/extensions/guacamole-auth-cas/pom.xml @@ -261,6 +261,14 @@ 2.5 provided + + + + javax.ws.rs + jsr311-api + 1.1.1 + provided + diff --git a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/CASGuacamoleProperties.java b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/CASGuacamoleProperties.java index dd741a3f8..f9876e055 100644 --- a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/CASGuacamoleProperties.java +++ b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/CASGuacamoleProperties.java @@ -19,7 +19,7 @@ package org.apache.guacamole.auth.cas.conf; -import org.apache.guacamole.properties.StringGuacamoleProperty; +import org.apache.guacamole.properties.UriGuacamoleProperty; /** * Provides properties required for use of the CAS authentication provider. @@ -36,8 +36,8 @@ public class CASGuacamoleProperties { /** * The authorization endpoint (URI) of the CAS service. */ - public static final StringGuacamoleProperty CAS_AUTHORIZATION_ENDPOINT = - new StringGuacamoleProperty() { + public static final UriGuacamoleProperty CAS_AUTHORIZATION_ENDPOINT = + new UriGuacamoleProperty() { @Override public String getName() { return "cas-authorization-endpoint"; } @@ -49,8 +49,8 @@ public class CASGuacamoleProperties { * authentication process is complete. This must be the full URL that a * user would enter into their browser to access Guacamole. */ - public static final StringGuacamoleProperty CAS_REDIRECT_URI = - new StringGuacamoleProperty() { + public static final UriGuacamoleProperty CAS_REDIRECT_URI = + new UriGuacamoleProperty() { @Override public String getName() { return "cas-redirect-uri"; } diff --git a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/ConfigurationService.java b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/ConfigurationService.java index e0016ad75..680f17057 100644 --- a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/ConfigurationService.java +++ b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/ConfigurationService.java @@ -20,6 +20,7 @@ package org.apache.guacamole.auth.cas.conf; import com.google.inject.Inject; +import java.net.URI; import java.security.PrivateKey; import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.environment.Environment; @@ -47,7 +48,7 @@ public class ConfigurationService { * If guacamole.properties cannot be parsed, or if the authorization * endpoint property is missing. */ - public String getAuthorizationEndpoint() throws GuacamoleException { + public URI getAuthorizationEndpoint() throws GuacamoleException { return environment.getRequiredProperty(CASGuacamoleProperties.CAS_AUTHORIZATION_ENDPOINT); } @@ -65,7 +66,7 @@ public class ConfigurationService { * If guacamole.properties cannot be parsed, or if the redirect URI * property is missing. */ - public String getRedirectURI() throws GuacamoleException { + public URI getRedirectURI() throws GuacamoleException { return environment.getRequiredProperty(CASGuacamoleProperties.CAS_REDIRECT_URI); } diff --git a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/form/CASTicketField.java b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/form/CASTicketField.java index f785241f7..c16f52598 100644 --- a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/form/CASTicketField.java +++ b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/form/CASTicketField.java @@ -19,8 +19,8 @@ package org.apache.guacamole.auth.cas.form; -import java.io.UnsupportedEncodingException; -import java.net.URLEncoder; +import java.net.URI; +import javax.ws.rs.core.UriBuilder; import org.apache.guacamole.form.Field; @@ -47,7 +47,7 @@ public class CASTicketField extends Field { /** * The full URI which the field should link to. */ - private final String authorizationURI; + private final URI authorizationURI; /** * Creates a new CAS "ticket" field which links to the given CAS @@ -65,29 +65,15 @@ public class CASTicketField extends Field { * The URI that the CAS service should redirect to upon successful * authentication. */ - public CASTicketField(String authorizationEndpoint, String redirectURI) { + public CASTicketField(URI authorizationEndpoint, URI redirectURI) { // Init base field properties super(PARAMETER_NAME, "GUAC_CAS_TICKET"); - - // Build authorization URI from given values - try { - final StringBuilder sb = new StringBuilder(); - sb.append(authorizationEndpoint); - // user might configure the endpoint with a trailing slash - if (sb.charAt(sb.length() - 1) != '/') { - sb.append('/'); - } - sb.append(CAS_LOGIN_URI); - sb.append("?service="); - sb.append(URLEncoder.encode(redirectURI, "UTF-8")); - this.authorizationURI = sb.toString(); - } - - // Java is required to provide UTF-8 support - catch (UnsupportedEncodingException e) { - throw new UnsupportedOperationException("Unexpected lack of UTF-8 support.", e); - } + + this.authorizationURI = UriBuilder.fromUri(authorizationEndpoint) + .path(CAS_LOGIN_URI) + .queryParam("service", redirectURI) + .build(); } @@ -99,7 +85,7 @@ public class CASTicketField extends Field { * The full URI that this field should link to. */ public String getAuthorizationURI() { - return authorizationURI; + return authorizationURI.toString(); } } diff --git a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/ticket/TicketValidationService.java b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/ticket/TicketValidationService.java index b7cf33f0b..958ea2c11 100644 --- a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/ticket/TicketValidationService.java +++ b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/ticket/TicketValidationService.java @@ -21,6 +21,7 @@ package org.apache.guacamole.auth.cas.ticket; import com.google.common.io.BaseEncoding; import com.google.inject.Inject; +import java.net.URI; import java.security.InvalidKeyException; import java.security.NoSuchAlgorithmException; import java.security.PrivateKey; @@ -83,13 +84,13 @@ public class TicketValidationService { // Retrieve the configured CAS URL, establish a ticket validator, // and then attempt to validate the supplied ticket. If that succeeds, // grab the principal returned by the validator. - String casServerUrl = confService.getAuthorizationEndpoint(); - Cas20ProxyTicketValidator validator = new Cas20ProxyTicketValidator(casServerUrl); + URI casServerUrl = confService.getAuthorizationEndpoint(); + Cas20ProxyTicketValidator validator = new Cas20ProxyTicketValidator(casServerUrl.toString()); validator.setAcceptAnyProxy(true); validator.setEncoding("UTF-8"); try { - String confRedirectURI = confService.getRedirectURI(); - Assertion a = validator.validate(ticket, confRedirectURI); + URI confRedirectURI = confService.getRedirectURI(); + Assertion a = validator.validate(ticket, confRedirectURI.toString()); AttributePrincipal principal = a.getPrincipal(); // Retrieve username and set the credentials. diff --git a/extensions/guacamole-auth-openid/pom.xml b/extensions/guacamole-auth-openid/pom.xml index 967ad03e2..25158c88e 100644 --- a/extensions/guacamole-auth-openid/pom.xml +++ b/extensions/guacamole-auth-openid/pom.xml @@ -246,6 +246,14 @@ 2.5 provided + + + + javax.ws.rs + jsr311-api + 1.1.1 + provided + diff --git a/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/openid/conf/ConfigurationService.java b/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/openid/conf/ConfigurationService.java index c742d8991..8b4874c13 100644 --- a/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/openid/conf/ConfigurationService.java +++ b/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/openid/conf/ConfigurationService.java @@ -20,10 +20,12 @@ package org.apache.guacamole.auth.openid.conf; import com.google.inject.Inject; +import java.net.URI; import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.environment.Environment; import org.apache.guacamole.properties.IntegerGuacamoleProperty; import org.apache.guacamole.properties.StringGuacamoleProperty; +import org.apache.guacamole.properties.UriGuacamoleProperty; /** * Service for retrieving configuration information regarding the OpenID @@ -63,8 +65,8 @@ public class ConfigurationService { /** * The authorization endpoint (URI) of the OpenID service. */ - private static final StringGuacamoleProperty OPENID_AUTHORIZATION_ENDPOINT = - new StringGuacamoleProperty() { + private static final UriGuacamoleProperty OPENID_AUTHORIZATION_ENDPOINT = + new UriGuacamoleProperty() { @Override public String getName() { return "openid-authorization-endpoint"; } @@ -75,8 +77,8 @@ public class ConfigurationService { * The endpoint (URI) of the JWKS service which defines how received ID * tokens (JWTs) shall be validated. */ - private static final StringGuacamoleProperty OPENID_JWKS_ENDPOINT = - new StringGuacamoleProperty() { + private static final UriGuacamoleProperty OPENID_JWKS_ENDPOINT = + new UriGuacamoleProperty() { @Override public String getName() { return "openid-jwks-endpoint"; } @@ -174,8 +176,8 @@ public class ConfigurationService { * authentication process is complete. This must be the full URL that a * user would enter into their browser to access Guacamole. */ - private static final StringGuacamoleProperty OPENID_REDIRECT_URI = - new StringGuacamoleProperty() { + private static final UriGuacamoleProperty OPENID_REDIRECT_URI = + new UriGuacamoleProperty() { @Override public String getName() { return "openid-redirect-uri"; } @@ -200,7 +202,7 @@ public class ConfigurationService { * If guacamole.properties cannot be parsed, or if the authorization * endpoint property is missing. */ - public String getAuthorizationEndpoint() throws GuacamoleException { + public URI getAuthorizationEndpoint() throws GuacamoleException { return environment.getRequiredProperty(OPENID_AUTHORIZATION_ENDPOINT); } @@ -236,7 +238,7 @@ public class ConfigurationService { * If guacamole.properties cannot be parsed, or if the redirect URI * property is missing. */ - public String getRedirectURI() throws GuacamoleException { + public URI getRedirectURI() throws GuacamoleException { return environment.getRequiredProperty(OPENID_REDIRECT_URI); } @@ -270,7 +272,7 @@ public class ConfigurationService { * If guacamole.properties cannot be parsed, or if the JWKS endpoint * property is missing. */ - public String getJWKSEndpoint() throws GuacamoleException { + public URI getJWKSEndpoint() throws GuacamoleException { return environment.getRequiredProperty(OPENID_JWKS_ENDPOINT); } diff --git a/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/openid/form/TokenField.java b/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/openid/form/TokenField.java index d99c3672d..4a3bc9dd4 100644 --- a/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/openid/form/TokenField.java +++ b/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/openid/form/TokenField.java @@ -19,8 +19,8 @@ package org.apache.guacamole.auth.openid.form; -import java.io.UnsupportedEncodingException; -import java.net.URLEncoder; +import java.net.URI; +import javax.ws.rs.core.UriBuilder; import org.apache.guacamole.form.Field; /** @@ -38,7 +38,7 @@ public class TokenField extends Field { /** * The full URI which the field should link to. */ - private final String authorizationURI; + private final URI authorizationURI; /** * Creates a new field which requests authentication via OpenID connect. @@ -69,26 +69,19 @@ public class TokenField extends Field { * A random string unique to this request. To defend against replay * attacks, this value must cease being valid after its first use. */ - public TokenField(String authorizationEndpoint, String scope, - String clientID, String redirectURI, String nonce) { + public TokenField(URI authorizationEndpoint, String scope, + String clientID, URI redirectURI, String nonce) { // Init base field properties super(PARAMETER_NAME, "GUAC_OPENID_TOKEN"); - // Build authorization URI from given values - try { - this.authorizationURI = authorizationEndpoint - + "?scope=" + URLEncoder.encode(scope, "UTF-8") - + "&response_type=id_token" - + "&client_id=" + URLEncoder.encode(clientID, "UTF-8") - + "&redirect_uri=" + URLEncoder.encode(redirectURI, "UTF-8") - + "&nonce=" + nonce; - } - - // Java is required to provide UTF-8 support - catch (UnsupportedEncodingException e) { - throw new UnsupportedOperationException("Unexpected lack of UTF-8 support.", e); - } + this.authorizationURI = UriBuilder.fromUri(authorizationEndpoint) + .queryParam("scope", scope) + .queryParam("response_type", "id_token") + .queryParam("client_id","clientID") + .queryParam("redirect_uri", redirectURI) + .queryParam("nonce", nonce) + .build(); } @@ -100,7 +93,7 @@ public class TokenField extends Field { * The full URI that this field should link to. */ public String getAuthorizationURI() { - return authorizationURI; + return authorizationURI.toString(); } } diff --git a/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/openid/token/TokenValidationService.java b/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/openid/token/TokenValidationService.java index cde4f89a6..5efb09dab 100644 --- a/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/openid/token/TokenValidationService.java +++ b/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/openid/token/TokenValidationService.java @@ -74,7 +74,7 @@ public class TokenValidationService { public String processUsername(String token) throws GuacamoleException { // Validating the token requires a JWKS key resolver - HttpsJwks jwks = new HttpsJwks(confService.getJWKSEndpoint()); + HttpsJwks jwks = new HttpsJwks(confService.getJWKSEndpoint().toString()); HttpsJwksVerificationKeyResolver resolver = new HttpsJwksVerificationKeyResolver(jwks); // Create JWT consumer for validating received token