diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLAuthenticationProviderModule.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLAuthenticationProviderModule.java index c7dd0e1a4..aca3f422d 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLAuthenticationProviderModule.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLAuthenticationProviderModule.java @@ -22,8 +22,12 @@ package org.apache.guacamole.auth.mysql; import com.google.inject.Binder; import com.google.inject.Module; import com.google.inject.name.Names; +import java.io.File; import java.util.Properties; import org.apache.guacamole.GuacamoleException; +import org.apache.guacamole.auth.mysql.conf.MySQLDriver; +import org.apache.guacamole.auth.mysql.conf.MySQLEnvironment; +import org.apache.guacamole.auth.mysql.conf.MySQLSSLMode; import org.mybatis.guice.datasource.helper.JdbcHelper; /** @@ -79,6 +83,37 @@ public class MySQLAuthenticationProviderModule implements Module { // Allow use of multiple statements within a single query driverProperties.setProperty("allowMultiQueries", "true"); + // Set the SSL mode to use when conncting + MySQLSSLMode sslMode = environment.getMySQLSSLMode(); + driverProperties.setProperty("sslMode", sslMode.getDriverValue()); + + // Set legacy properties + if (sslMode == MySQLSSLMode.DISABLED) + driverProperties.setProperty("useSSL", "false"); + else + driverProperties.setProperty("useSSL", "true"); + + // Check other SSL settings and set as required + File trustStore = environment.getMySQLSSLTrustStore(); + if (trustStore != null) + driverProperties.setProperty("trustCertificateKeyStoreUrl", + trustStore.getAbsolutePath()); + + String trustPassword = environment.getMySQLSSLTrustPassword(); + if (trustPassword != null) + driverProperties.setProperty("trustCertificateKeyStorePassword", + trustPassword); + + File clientStore = environment.getMySQLSSLClientStore(); + if (clientStore != null) + driverProperties.setProperty("clientCertificateKeyStoreUrl", + clientStore.getAbsolutePath()); + + String clientPassword = environment.getMYSQLSSLClientPassword(); + if (clientPassword != null) + driverProperties.setProperty("clientCertificateKeyStorePassword", + clientPassword); + // Get the MySQL-compatible driver to use. mysqlDriver = environment.getMySQLDriver(); diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLInjectorProvider.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLInjectorProvider.java index aa582fdcd..ec5fcc1d8 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLInjectorProvider.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLInjectorProvider.java @@ -24,6 +24,7 @@ import com.google.inject.Injector; import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.auth.jdbc.JDBCAuthenticationProviderModule; import org.apache.guacamole.auth.jdbc.JDBCInjectorProvider; +import org.apache.guacamole.auth.mysql.conf.MySQLEnvironment; /** * JDBCInjectorProvider implementation which configures Guice injections for diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLDriver.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLDriver.java similarity index 96% rename from extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLDriver.java rename to extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLDriver.java index ea74f9937..36e8e9b1b 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLDriver.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLDriver.java @@ -17,7 +17,7 @@ * under the License. */ -package org.apache.guacamole.auth.mysql; +package org.apache.guacamole.auth.mysql.conf; import org.apache.guacamole.properties.EnumGuacamoleProperty.PropertyValue; diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLEnvironment.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLEnvironment.java similarity index 75% rename from extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLEnvironment.java rename to extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLEnvironment.java index 179b812e4..a538ff395 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLEnvironment.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLEnvironment.java @@ -17,8 +17,9 @@ * under the License. */ -package org.apache.guacamole.auth.mysql; +package org.apache.guacamole.auth.mysql.conf; +import java.io.File; import java.sql.Connection; import java.sql.DatabaseMetaData; import java.sql.SQLException; @@ -101,6 +102,11 @@ public class MySQLEnvironment extends JDBCEnvironment { * allowed to any one connection group. */ private final int DEFAULT_MAX_GROUP_CONNECTIONS = 0; + + /** + * The default SSL mode for connecting to MySQL servers. + */ + private final MySQLSSLMode DEFAULT_SSL_MODE = MySQLSSLMode.DISABLED; /** * Constructs a new MySQLEnvironment, providing access to MySQL-specific @@ -300,5 +306,85 @@ public class MySQLEnvironment extends JDBCEnvironment { } } + + /** + * Return the MySQL SSL mode as configured in guacamole.properties, or the + * default value of DISABLED if not configured. + * + * @return + * The SSL mode to use when connecting to the MySQL server. + * + * @throws GuacamoleException + * If an error occurs retrieving the property value. + */ + public MySQLSSLMode getMySQLSSLMode() throws GuacamoleException { + return getProperty( + MySQLGuacamoleProperties.MYSQL_SSL_MODE, + DEFAULT_SSL_MODE); + } + + /** + * Returns the File where the trusted certificate store is located as + * configured in guacamole.properties, or null if no value has been + * configured. The trusted certificate store is used to validate server + * certificates when making SSL connections to MySQL servers. + * + * @return + * The File where the trusted certificate store is located, or null + * if the value has not been configured. + * + * @throws GuacamoleException + * If guacamole.properties cannot be parsed. + */ + public File getMySQLSSLTrustStore() throws GuacamoleException { + return getProperty(MySQLGuacamoleProperties.MYSQL_SSL_TRUST_STORE); + } + + /** + * Returns the password used to access the trusted certificate store as + * configured in guacamole.properties, or null if no password has been + * specified. + * + * @return + * The password used to access the trusted certificate store. + * + * @throws GuacamoleException + * If guacamole.properties cannot be parsed. + */ + public String getMySQLSSLTrustPassword() throws GuacamoleException { + return getProperty(MySQLGuacamoleProperties.MYSQL_SSL_TRUST_PASSWORD); + } + + /** + * Returns the File used to store the client SSL certificate as configured + * in guacamole.properties, or null if no value has been specified. This + * file will be used to load the client certificate used for SSL connections + * to MySQL servers, if the SSL connection is so configured to require + * client certificate authentication. + * + * @return + * The File where the client SSL certificate is stored. + * + * @throws GuacamoleException + * If guacamole.properties cannot be parsed. + */ + public File getMySQLSSLClientStore() throws GuacamoleException { + return getProperty(MySQLGuacamoleProperties.MYSQL_SSL_TRUST_STORE); + } + + /** + * Returns the password used to access the client certificate store as + * configured in guacamole.properties, or null if no value has been + * specified. + * + * @return + * The password used to access the client SSL certificate store. + * + * @throws GuacamoleException + * If guacamole.properties cannot be parsed. + */ + public String getMYSQLSSLClientPassword() throws GuacamoleException { + return getProperty(MySQLGuacamoleProperties.MYSQL_SSL_TRUST_PASSWORD); + } } diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLGuacamoleProperties.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLGuacamoleProperties.java similarity index 71% rename from extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLGuacamoleProperties.java rename to extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLGuacamoleProperties.java index c0770b777..c87f4cf4b 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLGuacamoleProperties.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLGuacamoleProperties.java @@ -17,10 +17,11 @@ * under the License. */ -package org.apache.guacamole.auth.mysql; +package org.apache.guacamole.auth.mysql.conf; import org.apache.guacamole.properties.BooleanGuacamoleProperty; import org.apache.guacamole.properties.EnumGuacamoleProperty; +import org.apache.guacamole.properties.FileGuacamoleProperty; import org.apache.guacamole.properties.IntegerGuacamoleProperty; import org.apache.guacamole.properties.StringGuacamoleProperty; @@ -177,5 +178,67 @@ public class MySQLGuacamoleProperties { public String getName() { return "mysql-default-max-group-connections-per-user"; } }; + + /** + * The SSL mode used to connect to the MySQL Server. By default SSL will + * not be used. + */ + public static final EnumGuacamoleProperty MYSQL_SSL_MODE = + new EnumGuacamoleProperty(MySQLSSLMode.class) { + + @Override + public String getName() { return "mysql-ssl-mode" ; } + + }; + + /** + * The File where trusted SSL certificate authorities and server certificates + * are stored. By default no file is specified, and the default Java + * trusted certificate stores will be used. + */ + public static final FileGuacamoleProperty MYSQL_SSL_TRUST_STORE = + new FileGuacamoleProperty() { + + @Override + public String getName() { return "mysql-ssl-trust-store"; } + + }; + + /** + * The password to use to access the mysql-ssl-trust-store, if required. By + * default no password will be used to attempt to access the store. + */ + public static final StringGuacamoleProperty MYSQL_SSL_TRUST_PASSWORD = + new StringGuacamoleProperty() { + + @Override + public String getName() { return "mysql-ssl-trust-password"; } + + }; + + /** + * The File used to store the client certificate for configurations where + * a client certificate is required for authentication. By default no + * client certificate store will be specified. + */ + public static final FileGuacamoleProperty MYSQL_SSL_CLIENT_STORE = + new FileGuacamoleProperty() { + + @Override + public String getName() { return "mysql-ssl-client-store"; } + + }; + + /** + * The password to use to access the mysql-ssl-client-store file. By + * default no password will be used to attempt to access the file. + */ + public static final StringGuacamoleProperty MYSQL_SSL_CLIENT_PASSWORD = + new StringGuacamoleProperty() { + + @Override + public String getName() { return "mysql-ssl-client-password"; } + + }; } diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLPasswordPolicy.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLPasswordPolicy.java similarity index 99% rename from extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLPasswordPolicy.java rename to extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLPasswordPolicy.java index bf8bbede8..69b4ec85a 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLPasswordPolicy.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLPasswordPolicy.java @@ -17,7 +17,7 @@ * under the License. */ -package org.apache.guacamole.auth.mysql; +package org.apache.guacamole.auth.mysql.conf; import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.auth.jdbc.JDBCEnvironment; diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLSSLMode.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLSSLMode.java new file mode 100644 index 000000000..72dcd311e --- /dev/null +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLSSLMode.java @@ -0,0 +1,89 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.guacamole.auth.mysql.conf; + +import org.apache.guacamole.properties.EnumGuacamoleProperty.PropertyValue; + +/** + * Possible values for enabling SSL within the MySQL Driver. + */ +public enum MySQLSSLMode { + + /** + * Do not use SSL at all. + */ + @PropertyValue("disabled") + DISABLED("DISABLED"), + + /** + * Prefer SSL, but fall back to unencrypted. + */ + @PropertyValue("preferred") + PREFERRED("PREFERRED"), + + /** + * Require SSL, but perform no certificate validation. + */ + @PropertyValue("required") + REQUIRED("REQUIRED"), + + /** + * Require SSL, and validate server certificate issuer. + */ + @PropertyValue("verify-ca") + VERIFY_CA("VERIFY_CA"), + + /** + * Require SSL and validate both server certificate issuer and server + * identity. + */ + @PropertyValue("verify-identity") + VERIFY_IDENTITY("VERIFY_IDENTITY"); + + /** + * The value expected by and passed on to the JDBC driver for the given + * SSL operation mode. + */ + private final String driverValue; + + /** + * Create a new instance of this enum with the given driverValue as the + * value that will be used when configuring the JDBC driver. + * + * @param driverValue + * The value to use when configuring the JDBC driver. + */ + MySQLSSLMode(String driverValue) { + this.driverValue = driverValue; + } + + /** + * Returns the String value for a given Enum that properly configures the + * JDBC driver for the desired mode of SSL operation. + * + * @return + * The String value for the current Enum that configures the JDBC driver + * for the desired mode of SSL operation. + */ + public String getDriverValue() { + return driverValue; + } + +} diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLVersion.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLVersion.java similarity index 99% rename from extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLVersion.java rename to extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLVersion.java index 577506ef0..2354d942e 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLVersion.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLVersion.java @@ -17,7 +17,7 @@ * under the License. */ -package org.apache.guacamole.auth.mysql; +package org.apache.guacamole.auth.mysql.conf; import com.google.common.collect.ComparisonChain; import java.util.regex.Matcher; diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLAuthenticationProviderModule.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLAuthenticationProviderModule.java index dc57ff700..67fafe452 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLAuthenticationProviderModule.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLAuthenticationProviderModule.java @@ -22,8 +22,11 @@ package org.apache.guacamole.auth.postgresql; import com.google.inject.Binder; import com.google.inject.Module; import com.google.inject.name.Names; +import java.io.File; import java.util.Properties; import org.apache.guacamole.GuacamoleException; +import org.apache.guacamole.auth.postgresql.conf.PostgreSQLEnvironment; +import org.apache.guacamole.auth.postgresql.conf.PostgreSQLSSLMode; import org.mybatis.guice.datasource.helper.JdbcHelper; /** @@ -69,6 +72,34 @@ public class PostgreSQLAuthenticationProviderModule implements Module { // Use UTF-8 in database driverProperties.setProperty("characterEncoding", "UTF-8"); + + // Check the SSL mode and set if configured. + PostgreSQLSSLMode sslMode = environment.getPostgreSQLSSLMode(); + driverProperties.setProperty("sslmode", sslMode.getDriverValue()); + + // If SSL is enabled, check for and set other SSL properties. + if (sslMode != PostgreSQLSSLMode.DISABLE) { + + // Sets the legacy SSL configuration mode required by older servers. + driverProperties.setProperty("ssl", "true"); + + File sslClientCert = environment.getPostgreSQLSSLClientCertFile(); + if (sslClientCert != null) + driverProperties.setProperty("sslcert", sslClientCert.getAbsolutePath()); + + File sslClientKey = environment.getPostgreSQLSSLClientKeyFile(); + if (sslClientKey != null) + driverProperties.setProperty("sslkey", sslClientKey.getAbsolutePath()); + + File sslRootCert = environment.getPostgreSQLSSLClientRootCertFile(); + if (sslRootCert != null) + driverProperties.setProperty("sslrootcert", sslRootCert.getAbsolutePath()); + + String sslClientKeyPassword = environment.getPostgreSQLSSLClientKeyPassword(); + if (sslClientKeyPassword != null) + driverProperties.setProperty("sslpassword", sslClientKeyPassword); + + } } diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLInjectorProvider.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLInjectorProvider.java index ae8f88fe8..f04ff7448 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLInjectorProvider.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLInjectorProvider.java @@ -24,6 +24,7 @@ import com.google.inject.Injector; import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.auth.jdbc.JDBCAuthenticationProviderModule; import org.apache.guacamole.auth.jdbc.JDBCInjectorProvider; +import org.apache.guacamole.auth.postgresql.conf.PostgreSQLEnvironment; /** * JDBCInjectorProvider implementation which configures Guice injections for diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLEnvironment.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLEnvironment.java similarity index 74% rename from extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLEnvironment.java rename to extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLEnvironment.java index 4ac99e8d1..24e286e5a 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLEnvironment.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLEnvironment.java @@ -17,8 +17,9 @@ * under the License. */ -package org.apache.guacamole.auth.postgresql; +package org.apache.guacamole.auth.postgresql.conf; +import java.io.File; import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.auth.jdbc.JDBCEnvironment; import org.slf4j.Logger; @@ -96,6 +97,11 @@ public class PostgreSQLEnvironment extends JDBCEnvironment { * the values that should be used in the absence of the correct properties. */ private final int DEFAULT_MAX_GROUP_CONNECTIONS = 0; + + /** + * The default value to use for SSL mode if none is explicitly configured. + */ + private final PostgreSQLSSLMode DEFAULT_SSL_MODE = PostgreSQLSSLMode.DISABLE; /** * Constructs a new PostgreSQLEnvironment, providing access to PostgreSQL-specific @@ -249,4 +255,77 @@ public class PostgreSQLEnvironment extends JDBCEnvironment { return true; // All versions of PostgreSQL support recursive queries through CTEs } + /** + * Get the SSL mode to use to make the JDBC connection to the PostgreSQL + * server. If unspecified this will default to disabling SSL. + * + * @return + * The enum value of the SSL mode to use to make the JDBC connection + * to the server. + * + * @throws GuacamoleException + * If an error occurs retrieving the value from guacamole.properties. + */ + public PostgreSQLSSLMode getPostgreSQLSSLMode() throws GuacamoleException { + return getProperty(PostgreSQLGuacamoleProperties.POSTGRESQL_SSL_MODE, + DEFAULT_SSL_MODE); + } + + /** + * Return the SSL client certificate file to use to make the connection + * to the PostgreSQL server. + * + * @return + * The SSL client certificate file to use for the PostgreSQL connection. + * + * @throws GuacamoleException + * If an error occurs retrieving the value from guacamole.properties. + */ + public File getPostgreSQLSSLClientCertFile() throws GuacamoleException { + return getProperty(PostgreSQLGuacamoleProperties.POSTGRESQL_SSL_CERT_FILE); + } + + /** + * Return the SSL client private key file to use to make the connection to the + * PostgreSQL server. + * + * @return + * The SSL client private key file to use for the PostgreSQL connection. + * @throws GuacamoleException + * If an error occurs retrieving the value from guacamole.properties. + */ + public File getPostgreSQLSSLClientKeyFile() throws GuacamoleException { + return getProperty(PostgreSQLGuacamoleProperties.POSTGRESQL_SSL_KEY_FILE); + } + + /** + * Return the SSL client root certificate file to use to make the connection + * to the PostgreSQL server. + * + * @return + * The SSL client root certificate file to use to make the connection + * to the PostgreSQL server. + * + * @throws GuacamoleException + * If an error occurs retrieving the value from guacamole.properties. + */ + public File getPostgreSQLSSLClientRootCertFile() throws GuacamoleException { + return getProperty(PostgreSQLGuacamoleProperties.POSTGRESQL_SSL_ROOT_CERT_FILE); + } + + /** + * Return the password to use to decrypt the private SSL key file when making + * the connection to the PostgreSQL server. + * + * @return + * The password to use to decrypt the private SSL key file when making + * the connection to the PostgreSQL server. + * + * @throws GuacamoleException + * If an error occurs retrieving the value from guacamole.properties. + */ + public String getPostgreSQLSSLClientKeyPassword() throws GuacamoleException { + return getProperty(PostgreSQLGuacamoleProperties.POSTGRESQL_SSL_KEY_PASSWORD); + } + } diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLGuacamoleProperties.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLGuacamoleProperties.java similarity index 71% rename from extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLGuacamoleProperties.java rename to extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLGuacamoleProperties.java index 971165141..8bd1ff4f5 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLGuacamoleProperties.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLGuacamoleProperties.java @@ -17,9 +17,11 @@ * under the License. */ -package org.apache.guacamole.auth.postgresql; +package org.apache.guacamole.auth.postgresql.conf; import org.apache.guacamole.properties.BooleanGuacamoleProperty; +import org.apache.guacamole.properties.EnumGuacamoleProperty; +import org.apache.guacamole.properties.FileGuacamoleProperty; import org.apache.guacamole.properties.IntegerGuacamoleProperty; import org.apache.guacamole.properties.StringGuacamoleProperty; @@ -170,5 +172,65 @@ public class PostgreSQLGuacamoleProperties { public String getName() { return "postgresql-default-max-group-connections-per-user"; } }; - + + /** + * The SSL mode that should be used by the JDBC driver when making + * connections to the remote server. By default SSL will be disabled. + */ + public static final EnumGuacamoleProperty POSTGRESQL_SSL_MODE = + new EnumGuacamoleProperty(PostgreSQLSSLMode.class) { + + @Override + public String getName() { return "postgresql-ssl-mode"; } + + }; + + /** + * The client SSL certificate file used by the JDBC driver to make the + * SSL connection. + */ + public static final FileGuacamoleProperty POSTGRESQL_SSL_CERT_FILE = + new FileGuacamoleProperty() { + + @Override + public String getName() { return "postgresql-ssl-cert-file"; } + + }; + + /** + * The client SSL private key file used by the JDBC driver to make the + * SSL connection. + */ + public static final FileGuacamoleProperty POSTGRESQL_SSL_KEY_FILE = + new FileGuacamoleProperty() { + + @Override + public String getName() { return "postgresql-ssl-key-file"; } + + }; + + /** + * The client SSL root certificate file used by the JDBC driver to validate + * certificates when making the SSL connection. + */ + public static final FileGuacamoleProperty POSTGRESQL_SSL_ROOT_CERT_FILE = + new FileGuacamoleProperty() { + + @Override + public String getName() { return "postgresql-ssl-root-cert-file"; } + + }; + + /** + * The password of the SSL private key used by the JDBC driver to make + * the SSL connection to the PostgreSQL server. + */ + public static final StringGuacamoleProperty POSTGRESQL_SSL_KEY_PASSWORD = + new StringGuacamoleProperty() { + + @Override + public String getName() { return "postgresql-ssl-key-password"; } + + }; + } diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLPasswordPolicy.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLPasswordPolicy.java similarity index 99% rename from extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLPasswordPolicy.java rename to extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLPasswordPolicy.java index b35507df9..7f2a36a29 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLPasswordPolicy.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLPasswordPolicy.java @@ -17,7 +17,7 @@ * under the License. */ -package org.apache.guacamole.auth.postgresql; +package org.apache.guacamole.auth.postgresql.conf; import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.auth.jdbc.JDBCEnvironment; diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLSSLMode.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLSSLMode.java new file mode 100644 index 000000000..7a467f4c4 --- /dev/null +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLSSLMode.java @@ -0,0 +1,94 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.guacamole.auth.postgresql.conf; + +import org.apache.guacamole.properties.EnumGuacamoleProperty.PropertyValue; + +/** + * Possible values for PostgreSQL SSL connectivity. + */ +public enum PostgreSQLSSLMode { + + /** + * Do not use SSL to connect to server. + */ + @PropertyValue("disable") + DISABLE("disable"), + + /** + * Allow SSL connections, but try non-SSL, first. + */ + @PropertyValue("allow") + ALLOW("allow"), + + /** + * Prefer SSL connections, falling back to non-SSL if that fails. + */ + @PropertyValue("prefer") + PREFER("prefer"), + + /** + * Require SSL connections, do not connect if SSL fails. + */ + @PropertyValue("require") + REQUIRE("require"), + + /** + * Require SSL connections and validate the CA certificate. + */ + @PropertyValue("verify-ca") + VERIFY_CA("verify-ca"), + + /** + * Require SSL connections and validate both the CA and server certificates. + */ + @PropertyValue("verify-full") + VERIFY_FULL("verify-full"); + + /** + * The value expected by and passed on to the JDBC driver for the given + * SSL operation mode. + */ + private final String driverValue; + + /** + * Create a new instance of this enum with the given driverValue as the + * value that will be used when configuring the JDBC driver. + * + * @param driverValue + * The value to use when configuring the JDBC driver. + */ + PostgreSQLSSLMode(String driverValue) { + this.driverValue = driverValue; + } + + /** + * Returns the String value for a given Enum that properly configures the + * JDBC driver for the desired mode of SSL operation. + * + * @return + * The String value for the current Enum that configures the JDBC driver + * for the desired mode of SSL operation. + */ + public String getDriverValue() { + return driverValue; + } + +}