From b2789700768315465659baa6b0cfb3e7bd8bc506 Mon Sep 17 00:00:00 2001 From: Nick Couchman Date: Fri, 10 Feb 2017 08:59:37 -0500 Subject: [PATCH] GUACAMOLE-204: Implementation of CAS SSO module for Guacamole authentication. --- extensions/guacamole-auth-cas/.gitignore | 3 + extensions/guacamole-auth-cas/LICENSE | 220 ++++++++++++++++++ extensions/guacamole-auth-cas/README.md | 10 + extensions/guacamole-auth-cas/pom.xml | 146 ++++++++++++ .../src/main/assembly/dist.xml | 53 +++++ .../cas/AuthenticationProviderService.java | 111 +++++++++ .../auth/cas/CASAuthenticationProvider.java | 107 +++++++++ .../cas/CASAuthenticationProviderModule.java | 83 +++++++ .../auth/cas/conf/CASGuacamoleProperties.java | 62 +++++ .../auth/cas/conf/ConfigurationService.java | 73 ++++++ .../auth/cas/form/CASTicketField.java | 99 ++++++++ .../cas/ticket/TicketValidationService.java | 81 +++++++ .../auth/cas/user/AuthenticatedUser.java | 73 ++++++ .../src/main/resources/cas.css | 23 ++ .../src/main/resources/casConfig.js | 51 ++++ .../src/main/resources/casController.js | 30 +++ .../src/main/resources/casModule.js | 29 +++ .../src/main/resources/guac-manifest.json | 22 ++ pom.xml | 1 + 19 files changed, 1277 insertions(+) create mode 100644 extensions/guacamole-auth-cas/.gitignore create mode 100644 extensions/guacamole-auth-cas/LICENSE create mode 100644 extensions/guacamole-auth-cas/README.md create mode 100644 extensions/guacamole-auth-cas/pom.xml create mode 100644 extensions/guacamole-auth-cas/src/main/assembly/dist.xml create mode 100644 extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/AuthenticationProviderService.java create mode 100644 extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/CASAuthenticationProvider.java create mode 100644 extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/CASAuthenticationProviderModule.java create mode 100644 extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/CASGuacamoleProperties.java create mode 100644 extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/ConfigurationService.java create mode 100644 extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/form/CASTicketField.java create mode 100644 extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/ticket/TicketValidationService.java create mode 100644 extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/user/AuthenticatedUser.java create mode 100644 extensions/guacamole-auth-cas/src/main/resources/cas.css create mode 100644 extensions/guacamole-auth-cas/src/main/resources/casConfig.js create mode 100644 extensions/guacamole-auth-cas/src/main/resources/casController.js create mode 100644 extensions/guacamole-auth-cas/src/main/resources/casModule.js create mode 100644 extensions/guacamole-auth-cas/src/main/resources/guac-manifest.json diff --git a/extensions/guacamole-auth-cas/.gitignore b/extensions/guacamole-auth-cas/.gitignore new file mode 100644 index 000000000..c3a023fc1 --- /dev/null +++ b/extensions/guacamole-auth-cas/.gitignore @@ -0,0 +1,3 @@ +*~ +target/ +META-INF/ diff --git a/extensions/guacamole-auth-cas/LICENSE b/extensions/guacamole-auth-cas/LICENSE new file mode 100644 index 000000000..7378dfb92 --- /dev/null +++ b/extensions/guacamole-auth-cas/LICENSE @@ -0,0 +1,220 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + + +============================================================================== + +APACHE GUACAMOLE SUBCOMPONENTS + +Apache Guacamole includes a number of subcomponents with separate copyright +notices and license terms. Your use of these subcomponents is subject to the +terms and conditions of the following licenses. + + +Carlito (http://code.google.com/p/chromium/issues/detail?id=280557) +------------------------------------------------------------------- + + Version: N/A + From: 'tyPoland Lukasz Dziedzic' (http://www.lukaszdziedzic.eu/) + License(s): + SIL Open Font (guacamole/src/licenses/bundled/carlito/LICENSE) diff --git a/extensions/guacamole-auth-cas/README.md b/extensions/guacamole-auth-cas/README.md new file mode 100644 index 000000000..8af4e46e0 --- /dev/null +++ b/extensions/guacamole-auth-cas/README.md @@ -0,0 +1,10 @@ +# guacamole-auth-cas +CAS SSO Module for Guacamole + +This is an extension module for Guacamole that authenticates using a CAS SSO backend. + +There are two parameters to add to the guacamole.properties file: +- cas-authorization-endpoint -> The URL of the CAS server. +- cas-redirect-uri -> Where the CAS server should redirect back to after a successful login. + +This module was written using source code provided by Mike Jumper for the OpenID (OAUTH) module and modified to fit the CAS authentication process. diff --git a/extensions/guacamole-auth-cas/pom.xml b/extensions/guacamole-auth-cas/pom.xml new file mode 100644 index 000000000..fbb44c316 --- /dev/null +++ b/extensions/guacamole-auth-cas/pom.xml @@ -0,0 +1,146 @@ + + + + + 4.0.0 + org.apache.guacamole + guacamole-auth-cas + jar + 0.9.11-incubating + guacamole-auth-cas + http://guacamole.incubator.apache.org/ + + + UTF-8 + + + + + + + + org.apache.maven.plugins + maven-compiler-plugin + 3.3 + + 1.6 + 1.6 + + -Xlint:all + -Werror + + true + + + + + + org.apache.maven.plugins + maven-dependency-plugin + 2.10 + + + unpack-dependencies + prepare-package + + unpack-dependencies + + + runtime + ${project.build.directory}/classes + + + + + + + + maven-assembly-plugin + 2.5.3 + + ${project.artifactId}-${project.version} + false + + src/main/assembly/dist.xml + + + + + make-dist-archive + package + + single + + + + + + + + + + + + + org.apache.guacamole + guacamole-common + 0.9.10-incubating + provided + + + + + org.apache.guacamole + guacamole-ext + 0.9.11-incubating + provided + + + org.jasig.cas.client + cas-client-core + 3.4.1 + + + + com.google.inject + guice + 3.0 + + + com.google.inject.extensions + guice-multibindings + 3.0 + + + + + javax.servlet + servlet-api + 2.5 + provided + + + + + + diff --git a/extensions/guacamole-auth-cas/src/main/assembly/dist.xml b/extensions/guacamole-auth-cas/src/main/assembly/dist.xml new file mode 100644 index 000000000..b89fd534c --- /dev/null +++ b/extensions/guacamole-auth-cas/src/main/assembly/dist.xml @@ -0,0 +1,53 @@ + + + + + dist + ${project.artifactId}-${project.version} + + + + tar.gz + + + + + + + + + src/licenses + + + + + target + + + *.jar + + + + + + diff --git a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/AuthenticationProviderService.java b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/AuthenticationProviderService.java new file mode 100644 index 000000000..2222a8639 --- /dev/null +++ b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/AuthenticationProviderService.java @@ -0,0 +1,111 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.guacamole.auth.cas; + +import com.google.inject.Inject; +import com.google.inject.Provider; +import java.util.Arrays; +import java.util.Enumeration; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpSession; +import org.apache.guacamole.GuacamoleException; +import org.apache.guacamole.form.Field; +import org.apache.guacamole.net.auth.Credentials; +import org.apache.guacamole.net.auth.credentials.CredentialsInfo; +import org.apache.guacamole.net.auth.credentials.GuacamoleInvalidCredentialsException; +import org.apache.guacamole.auth.cas.conf.ConfigurationService; +import org.apache.guacamole.auth.cas.form.CASTicketField; +import org.apache.guacamole.auth.cas.ticket.TicketValidationService; +import org.apache.guacamole.auth.cas.user.AuthenticatedUser; + +/** + * Service providing convenience functions for the CAS AuthenticationProvider + * implementation. + * + * @author Nick Couchman + */ +public class AuthenticationProviderService { + + /** + * Service for retrieving CAS configuration information. + */ + @Inject + private ConfigurationService confService; + + /** + * Service for validating received ID tickets. + */ + @Inject + private TicketValidationService ticketService; + + /** + * Provider for AuthenticatedUser objects. + */ + @Inject + private Provider authenticatedUserProvider; + + /** + * Returns an AuthenticatedUser representing the user authenticated by the + * given credentials. + * + * @param credentials + * The credentials to use for authentication. + * + * @return + * An AuthenticatedUser representing the user authenticated by the + * given credentials. + * + * @throws GuacamoleException + * If an error occurs while authenticating the user, or if access is + * denied. + */ + public AuthenticatedUser authenticateUser(Credentials credentials) + throws GuacamoleException { + + String ticket = null; + + // Pull CAS ticket from request if present + HttpServletRequest request = credentials.getRequest(); + if (request != null) { + ticket = request.getParameter(CASTicketField.PARAMETER_NAME); + if (ticket != null) { + AuthenticatedUser authenticatedUser = authenticatedUserProvider.get(); + authenticatedUser.init(ticketService.processUsername(ticket), credentials); + return authenticatedUser; + } + } + + // Request CAS ticket + throw new GuacamoleInvalidCredentialsException("Invalid login.", + new CredentialsInfo(Arrays.asList(new Field[] { + + // CAS-specific ticket (will automatically redirect the user + // to the authorization page via JavaScript) + new CASTicketField( + confService.getAuthorizationEndpoint(), + confService.getRedirectURI() + ) + + })) + ); + + } + +} diff --git a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/CASAuthenticationProvider.java b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/CASAuthenticationProvider.java new file mode 100644 index 000000000..1817946a0 --- /dev/null +++ b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/CASAuthenticationProvider.java @@ -0,0 +1,107 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.guacamole.auth.cas; + +import com.google.inject.Guice; +import com.google.inject.Injector; +import org.apache.guacamole.GuacamoleException; +import org.apache.guacamole.net.auth.AuthenticatedUser; +import org.apache.guacamole.net.auth.AuthenticationProvider; +import org.apache.guacamole.net.auth.Credentials; +import org.apache.guacamole.net.auth.UserContext; + +/** + * Guacamole authentication backend which authenticates users using an + * arbitrary external system implementing CAS. No storage for connections is + * provided - only authentication. Storage must be provided by some other + * extension. + * + * @author Michael Jumper + */ +public class CASAuthenticationProvider implements AuthenticationProvider { + + /** + * Injector which will manage the object graph of this authentication + * provider. + */ + private final Injector injector; + + /** + * Creates a new CASAuthenticationProvider that authenticates users + * against an CAS service + * + * @throws GuacamoleException + * If a required property is missing, or an error occurs while parsing + * a property. + */ + public CASAuthenticationProvider() throws GuacamoleException { + + // Set up Guice injector. + injector = Guice.createInjector( + new CASAuthenticationProviderModule(this) + ); + + } + + @Override + public String getIdentifier() { + return "cas"; + } + + @Override + public AuthenticatedUser authenticateUser(Credentials credentials) + throws GuacamoleException { + + // Attempt to authenticate user with given credentials + AuthenticationProviderService authProviderService = injector.getInstance(AuthenticationProviderService.class); + return authProviderService.authenticateUser(credentials); + + } + + @Override + public AuthenticatedUser updateAuthenticatedUser( + AuthenticatedUser authenticatedUser, Credentials credentials) + throws GuacamoleException { + + // No update necessary + return authenticatedUser; + + } + + @Override + public UserContext getUserContext(AuthenticatedUser authenticatedUser) + throws GuacamoleException { + + // No associated data whatsoever + return null; + + } + + @Override + public UserContext updateUserContext(UserContext context, + AuthenticatedUser authenticatedUser, Credentials credentials) + throws GuacamoleException { + + // No update necessary + return context; + + } + +} diff --git a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/CASAuthenticationProviderModule.java b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/CASAuthenticationProviderModule.java new file mode 100644 index 000000000..861cb7014 --- /dev/null +++ b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/CASAuthenticationProviderModule.java @@ -0,0 +1,83 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.guacamole.auth.cas; + +import org.apache.guacamole.auth.cas.conf.ConfigurationService; +import com.google.inject.AbstractModule; +import org.apache.guacamole.GuacamoleException; +import org.apache.guacamole.environment.Environment; +import org.apache.guacamole.environment.LocalEnvironment; +import org.apache.guacamole.net.auth.AuthenticationProvider; +import org.apache.guacamole.auth.cas.ticket.TicketValidationService; + +/** + * Guice module which configures CAS-specific injections. + * + * @author Michael Jumper + */ +public class CASAuthenticationProviderModule extends AbstractModule { + + /** + * Guacamole server environment. + */ + private final Environment environment; + + /** + * A reference to the CASAuthenticationProvider on behalf of which this + * module has configured injection. + */ + private final AuthenticationProvider authProvider; + + /** + * Creates a new CAS authentication provider module which configures + * injection for the CASAuthenticationProvider. + * + * @param authProvider + * The AuthenticationProvider for which injection is being configured. + * + * @throws GuacamoleException + * If an error occurs while retrieving the Guacamole server + * environment. + */ + public CASAuthenticationProviderModule(AuthenticationProvider authProvider) + throws GuacamoleException { + + // Get local environment + this.environment = new LocalEnvironment(); + + // Store associated auth provider + this.authProvider = authProvider; + + } + + @Override + protected void configure() { + + // Bind core implementations of guacamole-ext classes + bind(AuthenticationProvider.class).toInstance(authProvider); + bind(Environment.class).toInstance(environment); + + // Bind CAS-specific services + bind(ConfigurationService.class); + bind(TicketValidationService.class); + + } + +} diff --git a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/CASGuacamoleProperties.java b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/CASGuacamoleProperties.java new file mode 100644 index 000000000..df7075c3a --- /dev/null +++ b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/CASGuacamoleProperties.java @@ -0,0 +1,62 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.guacamole.auth.cas.conf; + +import org.apache.guacamole.properties.StringGuacamoleProperty; + +/** + * Provides properties required for use of the CAS authentication provider. + * These properties will be read from guacamole.properties when the CAS + * authentication provider is used. + * + * @author Nick Couchman + */ +public class CASGuacamoleProperties { + + /** + * This class should not be instantiated. + */ + private CASGuacamoleProperties() {} + + /** + * The authorization endpoint (URI) of the CAS service. + */ + public static final StringGuacamoleProperty CAS_AUTHORIZATION_ENDPOINT = + new StringGuacamoleProperty() { + + @Override + public String getName() { return "cas-authorization-endpoint"; } + + }; + + /** + * The URI that the CAS service should redirect to after the + * authentication process is complete. This must be the full URL that a + * user would enter into their browser to access Guacamole. + */ + public static final StringGuacamoleProperty CAS_REDIRECT_URI = + new StringGuacamoleProperty() { + + @Override + public String getName() { return "cas-redirect-uri"; } + + }; + +} diff --git a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/ConfigurationService.java b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/ConfigurationService.java new file mode 100644 index 000000000..f996addd2 --- /dev/null +++ b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/ConfigurationService.java @@ -0,0 +1,73 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.guacamole.auth.cas.conf; + +import com.google.inject.Inject; +import org.apache.guacamole.GuacamoleException; +import org.apache.guacamole.environment.Environment; + +/** + * Service for retrieving configuration information regarding the CAS service. + * + * @author Nick Couchman + */ +public class ConfigurationService { + + /** + * The Guacamole server environment. + */ + @Inject + private Environment environment; + + /** + * Returns the authorization endpoint (URI) of the CAS service as + * configured with guacamole.properties. + * + * @return + * The authorization endpoint of the CAS service, as configured with + * guacamole.properties. + * + * @throws GuacamoleException + * If guacamole.properties cannot be parsed, or if the authorization + * endpoint property is missing. + */ + public String getAuthorizationEndpoint() throws GuacamoleException { + return environment.getRequiredProperty(CASGuacamoleProperties.CAS_AUTHORIZATION_ENDPOINT); + } + + /** + * Returns the URI that the CAS service should redirect to after + * the authentication process is complete, as configured with + * guacamole.properties. This must be the full URL that a user would enter + * into their browser to access Guacamole. + * + * @return + * The client secret to use when communicating with the CAS service, + * as configured with guacamole.properties. + * + * @throws GuacamoleException + * If guacamole.properties cannot be parsed, or if the redirect URI + * property is missing. + */ + public String getRedirectURI() throws GuacamoleException { + return environment.getRequiredProperty(CASGuacamoleProperties.CAS_REDIRECT_URI); + } + +} diff --git a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/form/CASTicketField.java b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/form/CASTicketField.java new file mode 100644 index 000000000..51bd11786 --- /dev/null +++ b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/form/CASTicketField.java @@ -0,0 +1,99 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.guacamole.auth.cas.form; + +import java.io.UnsupportedEncodingException; +import java.math.BigInteger; +import java.net.URLEncoder; +import java.security.SecureRandom; +import org.apache.guacamole.form.Field; + + +/** + * Field definition which represents the ticket returned by an CAS service. + * Within the user interface, this will be rendered as an appropriate "Log in + * with ..." button which links to the CAS service. + * + * @author Nick Couchman + */ +public class CASTicketField extends Field { + + /** + * The standard HTTP parameter which will be included within the URL by all + * CAS services upon successful authentication and redirect. + */ + public static final String PARAMETER_NAME = "ticket"; + + /** + * The full URI which the field should link to. + */ + private final String authorizationURI; + + /** + * Creates a new CAS "ticket" field which links to the given CAS + * service using the provided client ID. Successful authentication at the + * CAS service will result in the client being redirected to the specified + * redirect URI. The CAS ticket will be embedded in the fragment (the part + * following the hash symbol) of that URI, which the JavaScript side of + * this extension will move to the query parameters. + * + * @param authorizationEndpoint + * The full URL of the endpoint accepting CAS authentication + * requests. + * + * @param clientID + * The ID of the CAS client. This is normally determined ahead of + * time by the CAS service through some manual credential request + * procedure. + * + * @param redirectURI + * The URI that the CAS service should redirect to upon successful + * authentication. + */ + public CASTicketField(String authorizationEndpoint, String redirectURI) { + + // Init base field properties + super(PARAMETER_NAME, "GUAC_CAS_TICKET"); + + // Build authorization URI from given values + try { + this.authorizationURI = authorizationEndpoint + + "?service=" + URLEncoder.encode(redirectURI, "UTF-8"); + } + + // Java is required to provide UTF-8 support + catch (UnsupportedEncodingException e) { + throw new UnsupportedOperationException("Unexpected lack of UTF-8 support.", e); + } + + } + + /** + * Returns the full URI that this field should link to when a new ticket + * needs to be obtained from the CAS service. + * + * @return + * The full URI that this field should link to. + */ + public String getAuthorizationURI() { + return authorizationURI; + } + +} diff --git a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/ticket/TicketValidationService.java b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/ticket/TicketValidationService.java new file mode 100644 index 000000000..0bdb584c5 --- /dev/null +++ b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/ticket/TicketValidationService.java @@ -0,0 +1,81 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.guacamole.auth.cas.ticket; + +import com.google.inject.Inject; +import org.apache.guacamole.GuacamoleException; +import org.apache.guacamole.GuacamoleSecurityException; +import org.apache.guacamole.GuacamoleServerException; +import org.apache.guacamole.auth.cas.conf.ConfigurationService; +import org.jasig.cas.client.authentication.AttributePrincipal; +import org.jasig.cas.client.validation.Assertion; +import org.jasig.cas.client.validation.Cas20ProxyTicketValidator; +import org.jasig.cas.client.validation.TicketValidationException; + +/** + * Service for validating ID tickets forwarded to us by the client, verifying + * that they did indeed come from the CAS service. + * + * @author Nick Couchman + */ +public class TicketValidationService { + + /** + * Service for retrieving CAS configuration information. + */ + @Inject + private ConfigurationService confService; + + /** + * Validates and parses the given ID ticket, returning the username contained + * therein, as defined by the username claim type given in + * guacamole.properties. If the username claim type is missing or the ID + * ticket is invalid, an exception is thrown instead. + * + * @param ticket + * The ID ticket to validate and parse. + * + * @return + * The username contained within the given ID ticket. + * + * @throws GuacamoleException + * If the ID ticket is not valid, the username claim type is missing, or + * guacamole.properties could not be parsed. + */ + public String processUsername(String ticket) throws GuacamoleException { + AttributePrincipal principal = null; + + // Retrieve the configured CAS URL and establish a ticket validator + String casServerUrl = confService.getAuthorizationEndpoint(); + Cas20ProxyTicketValidator sv = new Cas20ProxyTicketValidator(casServerUrl); + sv.setAcceptAnyProxy(true); + try { + String confRedirectURI = confService.getRedirectURI(); + Assertion a = sv.validate(ticket, confRedirectURI); + principal = a.getPrincipal(); + } + catch (TicketValidationException e) + Throw new GuacamoleException("Ticket validation failed.", e); + + return principal.getName(); + + } + +} diff --git a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/user/AuthenticatedUser.java b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/user/AuthenticatedUser.java new file mode 100644 index 000000000..6f1423ebf --- /dev/null +++ b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/user/AuthenticatedUser.java @@ -0,0 +1,73 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.guacamole.auth.cas.user; + +import com.google.inject.Inject; +import org.apache.guacamole.net.auth.AbstractAuthenticatedUser; +import org.apache.guacamole.net.auth.AuthenticationProvider; +import org.apache.guacamole.net.auth.Credentials; + +/** + * An CAS-specific implementation of AuthenticatedUser, associating a + * username and particular set of credentials with the CAS authentication + * provider. + * + * @author Michael Jumper + */ +public class AuthenticatedUser extends AbstractAuthenticatedUser { + + /** + * Reference to the authentication provider associated with this + * authenticated user. + */ + @Inject + private AuthenticationProvider authProvider; + + /** + * The credentials provided when this user was authenticated. + */ + private Credentials credentials; + + /** + * Initializes this AuthenticatedUser using the given username and + * credentials. + * + * @param username + * The username of the user that was authenticated. + * + * @param credentials + * The credentials provided when this user was authenticated. + */ + public void init(String username, Credentials credentials) { + this.credentials = credentials; + setIdentifier(username.toLowerCase()); + } + + @Override + public AuthenticationProvider getAuthenticationProvider() { + return authProvider; + } + + @Override + public Credentials getCredentials() { + return credentials; + } + +} diff --git a/extensions/guacamole-auth-cas/src/main/resources/cas.css b/extensions/guacamole-auth-cas/src/main/resources/cas.css new file mode 100644 index 000000000..dc8357755 --- /dev/null +++ b/extensions/guacamole-auth-cas/src/main/resources/cas.css @@ -0,0 +1,23 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +/* Hide login dialog */ +.login-ui div.login-dialog { + display: none; +} diff --git a/extensions/guacamole-auth-cas/src/main/resources/casConfig.js b/extensions/guacamole-auth-cas/src/main/resources/casConfig.js new file mode 100644 index 000000000..79e5698a0 --- /dev/null +++ b/extensions/guacamole-auth-cas/src/main/resources/casConfig.js @@ -0,0 +1,51 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +/** + * Config block which registers CAS-specific field types. + */ +angular.module('guacCAS').config(['formServiceProvider', + function guacCASConfig(formServiceProvider) { + + // Define field for ticket from CAS service + formServiceProvider.registerFieldType("GUAC_CAS_TICKET", { + templateUrl : '', + controller : 'guacCASController', + module : 'guacCAS' + }); + +}]); + +/** + * Config block which augments the existing routing, providing special handling + * for the "ticket=" fragments provided by OpenID Connect. + */ +angular.module('index').config(['$routeProvider', + function indexRouteConfig($routeProvider) { + + var curPath = window.location.href; + var ticketPos = curPath.indexOf("?ticket=") + 8; + var hashPos = curPath.indexOf("#/"); + if(ticketPos > 0 && ticketPos < hashPos) { + var ticket = curPath.substring(ticketPos, hashPos); + var newPath = curPath.substring(0,ticketPos - 8) + '#/?ticket=' + ticket; + window.location=newPath; + } + +}]); diff --git a/extensions/guacamole-auth-cas/src/main/resources/casController.js b/extensions/guacamole-auth-cas/src/main/resources/casController.js new file mode 100644 index 000000000..3ef1801ab --- /dev/null +++ b/extensions/guacamole-auth-cas/src/main/resources/casController.js @@ -0,0 +1,30 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +/** + * Controller for the "GUAC_CAS_TICKET" field which simply redirects the user + * immediately to the authorization URI. + */ +angular.module('guacCAS').controller('guacCASController', ['$scope', + function guacCASController($scope) { + + // Redirect to authorization URI + window.location = $scope.field.authorizationURI; + +}]); diff --git a/extensions/guacamole-auth-cas/src/main/resources/casModule.js b/extensions/guacamole-auth-cas/src/main/resources/casModule.js new file mode 100644 index 000000000..bd789dde4 --- /dev/null +++ b/extensions/guacamole-auth-cas/src/main/resources/casModule.js @@ -0,0 +1,29 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +/** + * Module which provides handling for CAS authentication. + */ +angular.module('guacCAS', [ + 'form', + 'ngRoute', +]); + +// Ensure the CAS module is loaded along with the rest of the app +angular.module('index').requires.push('guacCAS'); diff --git a/extensions/guacamole-auth-cas/src/main/resources/guac-manifest.json b/extensions/guacamole-auth-cas/src/main/resources/guac-manifest.json new file mode 100644 index 000000000..5bfb5f70b --- /dev/null +++ b/extensions/guacamole-auth-cas/src/main/resources/guac-manifest.json @@ -0,0 +1,22 @@ +{ + + "guacamoleVersion" : "0.9.11-incubating", + + "name" : "CAS Authentication Extension", + "namespace" : "guac-cas", + + "authProviders" : [ + "org.apache.guacamole.auth.cas.CASAuthenticationProvider" + ], + + "js" : [ + "casModule.js", + "casController.js", + "casConfig.js" + ], + + "css" : [ + "cas.css" + ] + +} diff --git a/pom.xml b/pom.xml index 990d1f97c..e2f700c2a 100644 --- a/pom.xml +++ b/pom.xml @@ -49,6 +49,7 @@ guacamole-common-js + extensions/guacamole-auth-cas extensions/guacamole-auth-duo extensions/guacamole-auth-header extensions/guacamole-auth-jdbc