From 721010cc14bd565a31faff14d9a020973128565c Mon Sep 17 00:00:00 2001 From: Virtually Nick Date: Thu, 2 Apr 2020 23:19:43 -0400 Subject: [PATCH 1/6] GUACAMOLE-728: Implement MySQL driver SSL configuration. --- .../MySQLAuthenticationProviderModule.java | 28 +++++++++ .../auth/mysql/MySQLInjectorProvider.java | 1 + .../auth/mysql/{ => conf}/MySQLDriver.java | 2 +- .../mysql/{ => conf}/MySQLEnvironment.java | 39 ++++++++++++- .../{ => conf}/MySQLGuacamoleProperties.java | 45 ++++++++++++++- .../mysql/{ => conf}/MySQLPasswordPolicy.java | 2 +- .../auth/mysql/conf/MySQLSSLMode.java | 42 ++++++++++++++ .../auth/mysql/conf/MySQLSSLProperty.java | 57 +++++++++++++++++++ .../auth/mysql/{ => conf}/MySQLVersion.java | 2 +- 9 files changed, 213 insertions(+), 5 deletions(-) rename extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/{ => conf}/MySQLDriver.java (96%) rename extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/{ => conf}/MySQLEnvironment.java (88%) rename extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/{ => conf}/MySQLGuacamoleProperties.java (80%) rename extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/{ => conf}/MySQLPasswordPolicy.java (99%) create mode 100644 extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLSSLMode.java create mode 100644 extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLSSLProperty.java rename extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/{ => conf}/MySQLVersion.java (99%) diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLAuthenticationProviderModule.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLAuthenticationProviderModule.java index c7dd0e1a4..a58e9add8 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLAuthenticationProviderModule.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLAuthenticationProviderModule.java @@ -22,8 +22,12 @@ package org.apache.guacamole.auth.mysql; import com.google.inject.Binder; import com.google.inject.Module; import com.google.inject.name.Names; +import java.io.File; +import java.net.URI; import java.util.Properties; import org.apache.guacamole.GuacamoleException; +import org.apache.guacamole.auth.mysql.conf.MySQLDriver; +import org.apache.guacamole.auth.mysql.conf.MySQLEnvironment; import org.mybatis.guice.datasource.helper.JdbcHelper; /** @@ -79,6 +83,30 @@ public class MySQLAuthenticationProviderModule implements Module { // Allow use of multiple statements within a single query driverProperties.setProperty("allowMultiQueries", "true"); + // Set the SSL mode to use when conncting + driverProperties.setProperty("sslMode", environment.getMySQLSSLMode().toString()); + + // Check other SSL settings and set as required + File trustStore = environment.getMySQLSSLTrustStore(); + if (trustStore != null) + driverProperties.setProperty("trustCertificateKeyStoreUrl", + trustStore.getAbsolutePath()); + + String trustPassword = environment.getMySQLSSLTrustPassword(); + if (trustPassword != null) + driverProperties.setProperty("trustCertificateKeyStorePassword", + trustPassword); + + File clientStore = environment.getMySQLSSLClientStore(); + if (clientStore != null) + driverProperties.setProperty("clientCertificateKeyStoreUrl", + clientStore.getAbsolutePath()); + + String clientPassword = environment.getMYSQLSSLClientPassword(); + if (clientPassword != null) + driverProperties.setProperty("clientCertificateKeyStorePassword", + clientPassword); + // Get the MySQL-compatible driver to use. mysqlDriver = environment.getMySQLDriver(); diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLInjectorProvider.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLInjectorProvider.java index aa582fdcd..ec5fcc1d8 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLInjectorProvider.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLInjectorProvider.java @@ -24,6 +24,7 @@ import com.google.inject.Injector; import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.auth.jdbc.JDBCAuthenticationProviderModule; import org.apache.guacamole.auth.jdbc.JDBCInjectorProvider; +import org.apache.guacamole.auth.mysql.conf.MySQLEnvironment; /** * JDBCInjectorProvider implementation which configures Guice injections for diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLDriver.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLDriver.java similarity index 96% rename from extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLDriver.java rename to extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLDriver.java index ea74f9937..36e8e9b1b 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLDriver.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLDriver.java @@ -17,7 +17,7 @@ * under the License. */ -package org.apache.guacamole.auth.mysql; +package org.apache.guacamole.auth.mysql.conf; import org.apache.guacamole.properties.EnumGuacamoleProperty.PropertyValue; diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLEnvironment.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLEnvironment.java similarity index 88% rename from extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLEnvironment.java rename to extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLEnvironment.java index 179b812e4..062142c61 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLEnvironment.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLEnvironment.java @@ -17,8 +17,9 @@ * under the License. */ -package org.apache.guacamole.auth.mysql; +package org.apache.guacamole.auth.mysql.conf; +import java.io.File; import java.sql.Connection; import java.sql.DatabaseMetaData; import java.sql.SQLException; @@ -101,6 +102,11 @@ public class MySQLEnvironment extends JDBCEnvironment { * allowed to any one connection group. */ private final int DEFAULT_MAX_GROUP_CONNECTIONS = 0; + + /** + * The default SSL mode for connecting to MySQL servers. + */ + private final MySQLSSLMode DEFAULT_SSL_MODE = MySQLSSLMode.DISABLED; /** * Constructs a new MySQLEnvironment, providing access to MySQL-specific @@ -300,5 +306,36 @@ public class MySQLEnvironment extends JDBCEnvironment { } } + + /** + * Return the MySQL SSL mode as configured in guacamole.properties, or the + * default value of DISABLED if not configured. + * + * @return + * The SSL mode to use when connecting to the MySQL server. + * + * @throws GuacamoleException + * If an error occurs retrieving the property value. + */ + public MySQLSSLMode getMySQLSSLMode() throws GuacamoleException { + return getProperty(MySQLGuacamoleProperties.MYSQL_SSL_MODE, + DEFAULT_SSL_MODE); + } + + public File getMySQLSSLTrustStore() throws GuacamoleException { + return getProperty(MySQLGuacamoleProperties.MYSQL_SSL_TRUST_STORE); + } + + public String getMySQLSSLTrustPassword() throws GuacamoleException { + return getProperty(MySQLGuacamoleProperties.MYSQL_SSL_TRUST_PASSWORD); + } + + public File getMySQLSSLClientStore() throws GuacamoleException { + return getProperty(MySQLGuacamoleProperties.MYSQL_SSL_TRUST_STORE); + } + + public String getMYSQLSSLClientPassword() throws GuacamoleException { + return getProperty(MySQLGuacamoleProperties.MYSQL_SSL_TRUST_PASSWORD); + } } diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLGuacamoleProperties.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLGuacamoleProperties.java similarity index 80% rename from extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLGuacamoleProperties.java rename to extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLGuacamoleProperties.java index c0770b777..fbe716191 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLGuacamoleProperties.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLGuacamoleProperties.java @@ -17,10 +17,11 @@ * under the License. */ -package org.apache.guacamole.auth.mysql; +package org.apache.guacamole.auth.mysql.conf; import org.apache.guacamole.properties.BooleanGuacamoleProperty; import org.apache.guacamole.properties.EnumGuacamoleProperty; +import org.apache.guacamole.properties.FileGuacamoleProperty; import org.apache.guacamole.properties.IntegerGuacamoleProperty; import org.apache.guacamole.properties.StringGuacamoleProperty; @@ -177,5 +178,47 @@ public class MySQLGuacamoleProperties { public String getName() { return "mysql-default-max-group-connections-per-user"; } }; + + /** + * The SSL mode used to connect to the MySQL Server. By default SSL will + * not be used. + */ + public static final MySQLSSLProperty MYSQL_SSL_MODE = + new MySQLSSLProperty() { + + @Override + public String getName() { return "mysql-ssl-mode" ; } + + }; + + public static final FileGuacamoleProperty MYSQL_SSL_TRUST_STORE = + new FileGuacamoleProperty() { + + @Override + public String getName() { return "mysql-ssl-trust-store"; } + + }; + + public static final StringGuacamoleProperty MYSQL_SSL_TRUST_PASSWORD = + new StringGuacamoleProperty() { + + @Override + public String getName() { return "mysql-ssl-trust-password"; } + + }; + + public static final FileGuacamoleProperty MYSQL_SSL_CLIENT_STORE = new FileGuacamoleProperty() { + + @Override + public String getName() { return "mysql-ssl-client-store"; } + + }; + + public static final StringGuacamoleProperty MYSQL_SSL_CLIENT_PASSWORD = new StringGuacamoleProperty() { + + @Override + public String getName() { return "mysql-ssl-client-password"; } + + }; } diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLPasswordPolicy.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLPasswordPolicy.java similarity index 99% rename from extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLPasswordPolicy.java rename to extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLPasswordPolicy.java index bf8bbede8..69b4ec85a 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLPasswordPolicy.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLPasswordPolicy.java @@ -17,7 +17,7 @@ * under the License. */ -package org.apache.guacamole.auth.mysql; +package org.apache.guacamole.auth.mysql.conf; import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.auth.jdbc.JDBCEnvironment; diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLSSLMode.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLSSLMode.java new file mode 100644 index 000000000..ab81cc7e5 --- /dev/null +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLSSLMode.java @@ -0,0 +1,42 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.guacamole.auth.mysql.conf; + +/** + * Possible values for enabling SSL within the MySQL Driver. + */ +public enum MySQLSSLMode { + + // Disable SSL altogether. + DISABLED, + + // Prefer SSL, but fall-back to non-SSL. + PREFERRED, + + // Require SSL, but perform no verification. + REQUIRED, + + // Require SSL and verify a valid authority. + VERIFY_CA, + + // Require SSL and verify a valid authority and server certificate. + VERIFY_IDENTITY; + +} diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLSSLProperty.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLSSLProperty.java new file mode 100644 index 000000000..887602a93 --- /dev/null +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLSSLProperty.java @@ -0,0 +1,57 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.guacamole.auth.mysql.conf; + +import org.apache.guacamole.GuacamoleException; +import org.apache.guacamole.GuacamoleServerException; +import org.apache.guacamole.properties.GuacamoleProperty; + +/** + * + * @author nick_couchman + */ +public abstract class MySQLSSLProperty implements GuacamoleProperty { + + @Override + public MySQLSSLMode parseValue(String value) throws GuacamoleException { + + if (value == null) + return null; + + if (value.equals("disabled")) + return MySQLSSLMode.DISABLED; + + if (value.equals("preferred")) + return MySQLSSLMode.PREFERRED; + + if (value.equals("required")) + return MySQLSSLMode.REQUIRED; + + if (value.equals("verify-ca")) + return MySQLSSLMode.VERIFY_CA; + + if (value.equals("verify-identity")) + return MySQLSSLMode.VERIFY_IDENTITY; + + throw new GuacamoleServerException("MySQL SSL mode set to invalid value."); + + } + +} diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLVersion.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLVersion.java similarity index 99% rename from extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLVersion.java rename to extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLVersion.java index 577506ef0..2354d942e 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLVersion.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLVersion.java @@ -17,7 +17,7 @@ * under the License. */ -package org.apache.guacamole.auth.mysql; +package org.apache.guacamole.auth.mysql.conf; import com.google.common.collect.ComparisonChain; import java.util.regex.Matcher; From d5a3f8116ec3582e7af976558f23ebc4fdd7963e Mon Sep 17 00:00:00 2001 From: Virtually Nick Date: Thu, 2 Apr 2020 23:45:47 -0400 Subject: [PATCH 2/6] GUACAMOLE-728: Add PostgreSQL SSL mode configuration. --- ...ostgreSQLAuthenticationProviderModule.java | 29 +++++++ .../PostgreSQLInjectorProvider.java | 1 + .../{ => conf}/PostgreSQLEnvironment.java | 81 +++++++++++++++++- .../PostgreSQLGuacamoleProperties.java | 65 ++++++++++++++- .../{ => conf}/PostgreSQLPasswordPolicy.java | 2 +- .../postgresql/conf/PostgreSQLSSLMode.java | 82 +++++++++++++++++++ .../conf/PostgreSQLSSLProperty.java | 47 +++++++++++ 7 files changed, 303 insertions(+), 4 deletions(-) rename extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/{ => conf}/PostgreSQLEnvironment.java (74%) rename extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/{ => conf}/PostgreSQLGuacamoleProperties.java (72%) rename extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/{ => conf}/PostgreSQLPasswordPolicy.java (99%) create mode 100644 extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLSSLMode.java create mode 100644 extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLSSLProperty.java diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLAuthenticationProviderModule.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLAuthenticationProviderModule.java index dc57ff700..e65abb82f 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLAuthenticationProviderModule.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLAuthenticationProviderModule.java @@ -22,8 +22,11 @@ package org.apache.guacamole.auth.postgresql; import com.google.inject.Binder; import com.google.inject.Module; import com.google.inject.name.Names; +import java.io.File; import java.util.Properties; import org.apache.guacamole.GuacamoleException; +import org.apache.guacamole.auth.postgresql.conf.PostgreSQLEnvironment; +import org.apache.guacamole.auth.postgresql.conf.PostgreSQLSSLMode; import org.mybatis.guice.datasource.helper.JdbcHelper; /** @@ -69,6 +72,32 @@ public class PostgreSQLAuthenticationProviderModule implements Module { // Use UTF-8 in database driverProperties.setProperty("characterEncoding", "UTF-8"); + + // Check the SSL mode and set if configured. + PostgreSQLSSLMode sslMode = environment.getPostgreSQLSSLMode(); + driverProperties.setProperty("sslmode", sslMode.toString()); + + // If SSL is enabled, check for and set other SSL properties. + if (sslMode != PostgreSQLSSLMode.DISABLE) { + driverProperties.setProperty("ssl", "true"); + + File sslClientCert = environment.getPostgreSQLSSLClientCertFile(); + if (sslClientCert != null) + driverProperties.setProperty("sslcert", sslClientCert.getAbsolutePath()); + + File sslClientKey = environment.getPostgreSQLSSLClientKeyFile(); + if (sslClientKey != null) + driverProperties.setProperty("sslkey", sslClientKey.getAbsolutePath()); + + File sslRootCert = environment.getPostgreSQLSSLClientRootCertFile(); + if (sslRootCert != null) + driverProperties.setProperty("sslrootcert", sslRootCert.getAbsolutePath()); + + String sslClientKeyPassword = environment.getPostgreSQLSSLClientKeyPassword(); + if (sslClientKeyPassword != null) + driverProperties.setProperty("sslpassword", sslClientKeyPassword); + + } } diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLInjectorProvider.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLInjectorProvider.java index ae8f88fe8..f04ff7448 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLInjectorProvider.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLInjectorProvider.java @@ -24,6 +24,7 @@ import com.google.inject.Injector; import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.auth.jdbc.JDBCAuthenticationProviderModule; import org.apache.guacamole.auth.jdbc.JDBCInjectorProvider; +import org.apache.guacamole.auth.postgresql.conf.PostgreSQLEnvironment; /** * JDBCInjectorProvider implementation which configures Guice injections for diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLEnvironment.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLEnvironment.java similarity index 74% rename from extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLEnvironment.java rename to extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLEnvironment.java index 4ac99e8d1..24e286e5a 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLEnvironment.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLEnvironment.java @@ -17,8 +17,9 @@ * under the License. */ -package org.apache.guacamole.auth.postgresql; +package org.apache.guacamole.auth.postgresql.conf; +import java.io.File; import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.auth.jdbc.JDBCEnvironment; import org.slf4j.Logger; @@ -96,6 +97,11 @@ public class PostgreSQLEnvironment extends JDBCEnvironment { * the values that should be used in the absence of the correct properties. */ private final int DEFAULT_MAX_GROUP_CONNECTIONS = 0; + + /** + * The default value to use for SSL mode if none is explicitly configured. + */ + private final PostgreSQLSSLMode DEFAULT_SSL_MODE = PostgreSQLSSLMode.DISABLE; /** * Constructs a new PostgreSQLEnvironment, providing access to PostgreSQL-specific @@ -249,4 +255,77 @@ public class PostgreSQLEnvironment extends JDBCEnvironment { return true; // All versions of PostgreSQL support recursive queries through CTEs } + /** + * Get the SSL mode to use to make the JDBC connection to the PostgreSQL + * server. If unspecified this will default to disabling SSL. + * + * @return + * The enum value of the SSL mode to use to make the JDBC connection + * to the server. + * + * @throws GuacamoleException + * If an error occurs retrieving the value from guacamole.properties. + */ + public PostgreSQLSSLMode getPostgreSQLSSLMode() throws GuacamoleException { + return getProperty(PostgreSQLGuacamoleProperties.POSTGRESQL_SSL_MODE, + DEFAULT_SSL_MODE); + } + + /** + * Return the SSL client certificate file to use to make the connection + * to the PostgreSQL server. + * + * @return + * The SSL client certificate file to use for the PostgreSQL connection. + * + * @throws GuacamoleException + * If an error occurs retrieving the value from guacamole.properties. + */ + public File getPostgreSQLSSLClientCertFile() throws GuacamoleException { + return getProperty(PostgreSQLGuacamoleProperties.POSTGRESQL_SSL_CERT_FILE); + } + + /** + * Return the SSL client private key file to use to make the connection to the + * PostgreSQL server. + * + * @return + * The SSL client private key file to use for the PostgreSQL connection. + * @throws GuacamoleException + * If an error occurs retrieving the value from guacamole.properties. + */ + public File getPostgreSQLSSLClientKeyFile() throws GuacamoleException { + return getProperty(PostgreSQLGuacamoleProperties.POSTGRESQL_SSL_KEY_FILE); + } + + /** + * Return the SSL client root certificate file to use to make the connection + * to the PostgreSQL server. + * + * @return + * The SSL client root certificate file to use to make the connection + * to the PostgreSQL server. + * + * @throws GuacamoleException + * If an error occurs retrieving the value from guacamole.properties. + */ + public File getPostgreSQLSSLClientRootCertFile() throws GuacamoleException { + return getProperty(PostgreSQLGuacamoleProperties.POSTGRESQL_SSL_ROOT_CERT_FILE); + } + + /** + * Return the password to use to decrypt the private SSL key file when making + * the connection to the PostgreSQL server. + * + * @return + * The password to use to decrypt the private SSL key file when making + * the connection to the PostgreSQL server. + * + * @throws GuacamoleException + * If an error occurs retrieving the value from guacamole.properties. + */ + public String getPostgreSQLSSLClientKeyPassword() throws GuacamoleException { + return getProperty(PostgreSQLGuacamoleProperties.POSTGRESQL_SSL_KEY_PASSWORD); + } + } diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLGuacamoleProperties.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLGuacamoleProperties.java similarity index 72% rename from extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLGuacamoleProperties.java rename to extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLGuacamoleProperties.java index 971165141..afd77140e 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLGuacamoleProperties.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLGuacamoleProperties.java @@ -17,9 +17,10 @@ * under the License. */ -package org.apache.guacamole.auth.postgresql; +package org.apache.guacamole.auth.postgresql.conf; import org.apache.guacamole.properties.BooleanGuacamoleProperty; +import org.apache.guacamole.properties.FileGuacamoleProperty; import org.apache.guacamole.properties.IntegerGuacamoleProperty; import org.apache.guacamole.properties.StringGuacamoleProperty; @@ -170,5 +171,65 @@ public class PostgreSQLGuacamoleProperties { public String getName() { return "postgresql-default-max-group-connections-per-user"; } }; - + + /** + * The SSL mode that should be used by the JDBC driver when making + * connections to the remote server. By default SSL will be disabled. + */ + public static final PostgreSQLSSLProperty POSTGRESQL_SSL_MODE = + new PostgreSQLSSLProperty() { + + @Override + public String getName() { return "postgresql-ssl-mode"; } + + }; + + /** + * The client SSL certificate file used by the JDBC driver to make the + * SSL connection. + */ + public static final FileGuacamoleProperty POSTGRESQL_SSL_CERT_FILE = + new FileGuacamoleProperty() { + + @Override + public String getName() { return "postgresql-ssl-cert-file"; } + + }; + + /** + * The client SSL private key file used by the JDBC driver to make the + * SSL connection. + */ + public static final FileGuacamoleProperty POSTGRESQL_SSL_KEY_FILE = + new FileGuacamoleProperty() { + + @Override + public String getName() { return "postgresql-ssl-key-file"; } + + }; + + /** + * The client SSL root certificate file used by the JDBC driver to validate + * certificates when making the SSL connection. + */ + public static final FileGuacamoleProperty POSTGRESQL_SSL_ROOT_CERT_FILE = + new FileGuacamoleProperty() { + + @Override + public String getName() { return "postgresql-ssl-root-cert-file"; } + + }; + + /** + * The password of the SSL private key used by the JDBC driver to make + * the SSL connection to the PostgreSQL server. + */ + public static final StringGuacamoleProperty POSTGRESQL_SSL_KEY_PASSWORD = + new StringGuacamoleProperty() { + + @Override + public String getName() { return "postgresql-ssl-key-password"; } + + }; + } diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLPasswordPolicy.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLPasswordPolicy.java similarity index 99% rename from extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLPasswordPolicy.java rename to extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLPasswordPolicy.java index b35507df9..7f2a36a29 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLPasswordPolicy.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLPasswordPolicy.java @@ -17,7 +17,7 @@ * under the License. */ -package org.apache.guacamole.auth.postgresql; +package org.apache.guacamole.auth.postgresql.conf; import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.auth.jdbc.JDBCEnvironment; diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLSSLMode.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLSSLMode.java new file mode 100644 index 000000000..e9c75b9ab --- /dev/null +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLSSLMode.java @@ -0,0 +1,82 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.guacamole.auth.postgresql.conf; + +/** + * Possible values for PostgreSQL SSL connectivity. + */ +public enum PostgreSQLSSLMode { + + // Do not use SSL to connect to server. + DISABLE("disable"), + + // Allow SSL connections, but try non-SSL, first. + ALLOW("allow"), + + // Prefer SSL connections, falling back to non-SSL if that fails. + PREFER("prefer"), + + // Require SSL connections, do not connect if SSL fails. + REQUIRE("require"), + + // Require SSL connections and validate the CA certificate. + VERIFY_CA("verify-ca"), + + // Require SSL connections and validate both the CA and server certificates. + VERIFY_FULL("verify-full"); + + // The value actually passed on to the JDBC driver. + private String configValue; + + /** + * Create a new instance of this enum with the given configValue as the + * value that will be used when configuring the JDBC driver. + * + * @param configValue + * The value to use when configuring the JDBC driver. + */ + PostgreSQLSSLMode(String configValue) { + this.configValue = configValue; + } + + @Override + public String toString() { + return configValue; + } + + /** + * Given the String value, determine the correct enum value that matches + * the string, or null if there is no match. + * + * @param value + * The String value to test to find a match. + * + * @return + * The enum value matching the given String. + */ + public static PostgreSQLSSLMode getValue(String value) { + for (PostgreSQLSSLMode mode : PostgreSQLSSLMode.values()) { + if (mode.toString().equals(value)) + return mode; + } + return null; + } + +} diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLSSLProperty.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLSSLProperty.java new file mode 100644 index 000000000..b014605ef --- /dev/null +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLSSLProperty.java @@ -0,0 +1,47 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.guacamole.auth.postgresql.conf; + +import org.apache.guacamole.GuacamoleException; +import org.apache.guacamole.GuacamoleServerException; +import org.apache.guacamole.properties.GuacamoleProperty; + +/** + * + * @author nick_couchman + */ +public abstract class PostgreSQLSSLProperty + implements GuacamoleProperty { + + @Override + public PostgreSQLSSLMode parseValue(String value) throws GuacamoleException { + + if (value == null) + return null; + + PostgreSQLSSLMode mode = PostgreSQLSSLMode.getValue(value); + if (mode != null) + return mode; + + throw new GuacamoleServerException("Invalid PostgreSQL SSL mode configured."); + + } + +} From 8c2df77f2db42c197286677c8864a7464e0a3787 Mon Sep 17 00:00:00 2001 From: Virtually Nick Date: Sat, 2 May 2020 22:32:28 -0400 Subject: [PATCH 3/6] GUACAMOLE-728: Set legacy SSL options for MySQL --- .../auth/mysql/MySQLAuthenticationProviderModule.java | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLAuthenticationProviderModule.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLAuthenticationProviderModule.java index a58e9add8..f2908ee66 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLAuthenticationProviderModule.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLAuthenticationProviderModule.java @@ -28,6 +28,7 @@ import java.util.Properties; import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.auth.mysql.conf.MySQLDriver; import org.apache.guacamole.auth.mysql.conf.MySQLEnvironment; +import org.apache.guacamole.auth.mysql.conf.MySQLSSLMode; import org.mybatis.guice.datasource.helper.JdbcHelper; /** @@ -84,7 +85,14 @@ public class MySQLAuthenticationProviderModule implements Module { driverProperties.setProperty("allowMultiQueries", "true"); // Set the SSL mode to use when conncting - driverProperties.setProperty("sslMode", environment.getMySQLSSLMode().toString()); + MySQLSSLMode sslMode = environment.getMySQLSSLMode(); + driverProperties.setProperty("sslMode", sslMode.toString()); + + // Set legacy properties + if (sslMode == MySQLSSLMode.DISABLED) + driverProperties.setProperty("useSSL", "false"); + else + driverProperties.setProperty("useSSL", "true"); // Check other SSL settings and set as required File trustStore = environment.getMySQLSSLTrustStore(); From 31288fc4d0205960305eb455b335012184a91edf Mon Sep 17 00:00:00 2001 From: Virtually Nick Date: Sat, 13 Jun 2020 22:34:01 -0400 Subject: [PATCH 4/6] GUACAMOLE-728: Refactor with EnumGuacamoleProperty and fix up comments. --- .../auth/mysql/conf/MySQLEnvironment.java | 51 ++++++++++++++++- .../mysql/conf/MySQLGuacamoleProperties.java | 28 +++++++-- .../auth/mysql/conf/MySQLSSLMode.java | 28 +++++++-- .../auth/mysql/conf/MySQLSSLProperty.java | 57 ------------------- .../conf/PostgreSQLGuacamoleProperties.java | 5 +- .../postgresql/conf/PostgreSQLSSLMode.java | 38 ++++++++++--- .../conf/PostgreSQLSSLProperty.java | 47 --------------- 7 files changed, 130 insertions(+), 124 deletions(-) delete mode 100644 extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLSSLProperty.java delete mode 100644 extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLSSLProperty.java diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLEnvironment.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLEnvironment.java index 062142c61..a538ff395 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLEnvironment.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLEnvironment.java @@ -318,22 +318,71 @@ public class MySQLEnvironment extends JDBCEnvironment { * If an error occurs retrieving the property value. */ public MySQLSSLMode getMySQLSSLMode() throws GuacamoleException { - return getProperty(MySQLGuacamoleProperties.MYSQL_SSL_MODE, + return getProperty( + MySQLGuacamoleProperties.MYSQL_SSL_MODE, DEFAULT_SSL_MODE); } + /** + * Returns the File where the trusted certificate store is located as + * configured in guacamole.properties, or null if no value has been + * configured. The trusted certificate store is used to validate server + * certificates when making SSL connections to MySQL servers. + * + * @return + * The File where the trusted certificate store is located, or null + * if the value has not been configured. + * + * @throws GuacamoleException + * If guacamole.properties cannot be parsed. + */ public File getMySQLSSLTrustStore() throws GuacamoleException { return getProperty(MySQLGuacamoleProperties.MYSQL_SSL_TRUST_STORE); } + /** + * Returns the password used to access the trusted certificate store as + * configured in guacamole.properties, or null if no password has been + * specified. + * + * @return + * The password used to access the trusted certificate store. + * + * @throws GuacamoleException + * If guacamole.properties cannot be parsed. + */ public String getMySQLSSLTrustPassword() throws GuacamoleException { return getProperty(MySQLGuacamoleProperties.MYSQL_SSL_TRUST_PASSWORD); } + /** + * Returns the File used to store the client SSL certificate as configured + * in guacamole.properties, or null if no value has been specified. This + * file will be used to load the client certificate used for SSL connections + * to MySQL servers, if the SSL connection is so configured to require + * client certificate authentication. + * + * @return + * The File where the client SSL certificate is stored. + * + * @throws GuacamoleException + * If guacamole.properties cannot be parsed. + */ public File getMySQLSSLClientStore() throws GuacamoleException { return getProperty(MySQLGuacamoleProperties.MYSQL_SSL_TRUST_STORE); } + /** + * Returns the password used to access the client certificate store as + * configured in guacamole.properties, or null if no value has been + * specified. + * + * @return + * The password used to access the client SSL certificate store. + * + * @throws GuacamoleException + * If guacamole.properties cannot be parsed. + */ public String getMYSQLSSLClientPassword() throws GuacamoleException { return getProperty(MySQLGuacamoleProperties.MYSQL_SSL_TRUST_PASSWORD); } diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLGuacamoleProperties.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLGuacamoleProperties.java index fbe716191..c87f4cf4b 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLGuacamoleProperties.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLGuacamoleProperties.java @@ -183,14 +183,19 @@ public class MySQLGuacamoleProperties { * The SSL mode used to connect to the MySQL Server. By default SSL will * not be used. */ - public static final MySQLSSLProperty MYSQL_SSL_MODE = - new MySQLSSLProperty() { + public static final EnumGuacamoleProperty MYSQL_SSL_MODE = + new EnumGuacamoleProperty(MySQLSSLMode.class) { @Override public String getName() { return "mysql-ssl-mode" ; } }; + /** + * The File where trusted SSL certificate authorities and server certificates + * are stored. By default no file is specified, and the default Java + * trusted certificate stores will be used. + */ public static final FileGuacamoleProperty MYSQL_SSL_TRUST_STORE = new FileGuacamoleProperty() { @@ -199,6 +204,10 @@ public class MySQLGuacamoleProperties { }; + /** + * The password to use to access the mysql-ssl-trust-store, if required. By + * default no password will be used to attempt to access the store. + */ public static final StringGuacamoleProperty MYSQL_SSL_TRUST_PASSWORD = new StringGuacamoleProperty() { @@ -207,14 +216,25 @@ public class MySQLGuacamoleProperties { }; - public static final FileGuacamoleProperty MYSQL_SSL_CLIENT_STORE = new FileGuacamoleProperty() { + /** + * The File used to store the client certificate for configurations where + * a client certificate is required for authentication. By default no + * client certificate store will be specified. + */ + public static final FileGuacamoleProperty MYSQL_SSL_CLIENT_STORE = + new FileGuacamoleProperty() { @Override public String getName() { return "mysql-ssl-client-store"; } }; - public static final StringGuacamoleProperty MYSQL_SSL_CLIENT_PASSWORD = new StringGuacamoleProperty() { + /** + * The password to use to access the mysql-ssl-client-store file. By + * default no password will be used to attempt to access the file. + */ + public static final StringGuacamoleProperty MYSQL_SSL_CLIENT_PASSWORD = + new StringGuacamoleProperty() { @Override public String getName() { return "mysql-ssl-client-password"; } diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLSSLMode.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLSSLMode.java index ab81cc7e5..a95bb556d 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLSSLMode.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLSSLMode.java @@ -19,24 +19,42 @@ package org.apache.guacamole.auth.mysql.conf; +import org.apache.guacamole.properties.EnumGuacamoleProperty.PropertyValue; + /** * Possible values for enabling SSL within the MySQL Driver. */ public enum MySQLSSLMode { - // Disable SSL altogether. + /** + * Do not use SSL at all. + */ + @PropertyValue("disabled") DISABLED, - // Prefer SSL, but fall-back to non-SSL. + /** + * Prefer SSL, but fall back to unencrypted. + */ + @PropertyValue("preferred") PREFERRED, - // Require SSL, but perform no verification. + /** + * Require SSL, but perform no certificate validation. + */ + @PropertyValue("required") REQUIRED, - // Require SSL and verify a valid authority. + /** + * Require SSL, and validate server certificate issuer. + */ + @PropertyValue("verify-ca") VERIFY_CA, - // Require SSL and verify a valid authority and server certificate. + /** + * Require SSL and validate both server certificate issuer and server + * identity. + */ + @PropertyValue("verify-identity") VERIFY_IDENTITY; } diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLSSLProperty.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLSSLProperty.java deleted file mode 100644 index 887602a93..000000000 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLSSLProperty.java +++ /dev/null @@ -1,57 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.guacamole.auth.mysql.conf; - -import org.apache.guacamole.GuacamoleException; -import org.apache.guacamole.GuacamoleServerException; -import org.apache.guacamole.properties.GuacamoleProperty; - -/** - * - * @author nick_couchman - */ -public abstract class MySQLSSLProperty implements GuacamoleProperty { - - @Override - public MySQLSSLMode parseValue(String value) throws GuacamoleException { - - if (value == null) - return null; - - if (value.equals("disabled")) - return MySQLSSLMode.DISABLED; - - if (value.equals("preferred")) - return MySQLSSLMode.PREFERRED; - - if (value.equals("required")) - return MySQLSSLMode.REQUIRED; - - if (value.equals("verify-ca")) - return MySQLSSLMode.VERIFY_CA; - - if (value.equals("verify-identity")) - return MySQLSSLMode.VERIFY_IDENTITY; - - throw new GuacamoleServerException("MySQL SSL mode set to invalid value."); - - } - -} diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLGuacamoleProperties.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLGuacamoleProperties.java index afd77140e..8bd1ff4f5 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLGuacamoleProperties.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLGuacamoleProperties.java @@ -20,6 +20,7 @@ package org.apache.guacamole.auth.postgresql.conf; import org.apache.guacamole.properties.BooleanGuacamoleProperty; +import org.apache.guacamole.properties.EnumGuacamoleProperty; import org.apache.guacamole.properties.FileGuacamoleProperty; import org.apache.guacamole.properties.IntegerGuacamoleProperty; import org.apache.guacamole.properties.StringGuacamoleProperty; @@ -176,8 +177,8 @@ public class PostgreSQLGuacamoleProperties { * The SSL mode that should be used by the JDBC driver when making * connections to the remote server. By default SSL will be disabled. */ - public static final PostgreSQLSSLProperty POSTGRESQL_SSL_MODE = - new PostgreSQLSSLProperty() { + public static final EnumGuacamoleProperty POSTGRESQL_SSL_MODE = + new EnumGuacamoleProperty(PostgreSQLSSLMode.class) { @Override public String getName() { return "postgresql-ssl-mode"; } diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLSSLMode.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLSSLMode.java index e9c75b9ab..709308ef8 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLSSLMode.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLSSLMode.java @@ -19,31 +19,53 @@ package org.apache.guacamole.auth.postgresql.conf; +import org.apache.guacamole.properties.EnumGuacamoleProperty.PropertyValue; + /** * Possible values for PostgreSQL SSL connectivity. */ public enum PostgreSQLSSLMode { - // Do not use SSL to connect to server. + /** + * Do not use SSL to connect to server. + */ + @PropertyValue("disable") DISABLE("disable"), - // Allow SSL connections, but try non-SSL, first. + /** + * Allow SSL connections, but try non-SSL, first. + */ + @PropertyValue("allow") ALLOW("allow"), - // Prefer SSL connections, falling back to non-SSL if that fails. + /** + * Prefer SSL connections, falling back to non-SSL if that fails. + */ + @PropertyValue("prefer") PREFER("prefer"), - // Require SSL connections, do not connect if SSL fails. + /** + * Require SSL connections, do not connect if SSL fails. + */ + @PropertyValue("require") REQUIRE("require"), - // Require SSL connections and validate the CA certificate. + /** + * Require SSL connections and validate the CA certificate. + */ + @PropertyValue("verify-ca") VERIFY_CA("verify-ca"), - // Require SSL connections and validate both the CA and server certificates. + /** + * Require SSL connections and validate both the CA and server certificates. + */ + @PropertyValue("verify-full") VERIFY_FULL("verify-full"); - // The value actually passed on to the JDBC driver. - private String configValue; + /** + * The value actually passed on to the JDBC driver. + */ + private final String configValue; /** * Create a new instance of this enum with the given configValue as the diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLSSLProperty.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLSSLProperty.java deleted file mode 100644 index b014605ef..000000000 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLSSLProperty.java +++ /dev/null @@ -1,47 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.guacamole.auth.postgresql.conf; - -import org.apache.guacamole.GuacamoleException; -import org.apache.guacamole.GuacamoleServerException; -import org.apache.guacamole.properties.GuacamoleProperty; - -/** - * - * @author nick_couchman - */ -public abstract class PostgreSQLSSLProperty - implements GuacamoleProperty { - - @Override - public PostgreSQLSSLMode parseValue(String value) throws GuacamoleException { - - if (value == null) - return null; - - PostgreSQLSSLMode mode = PostgreSQLSSLMode.getValue(value); - if (mode != null) - return mode; - - throw new GuacamoleServerException("Invalid PostgreSQL SSL mode configured."); - - } - -} From 986d5a12256f747e884d9317544c45b16f457340 Mon Sep 17 00:00:00 2001 From: Virtually Nick Date: Tue, 16 Jun 2020 11:44:07 -0400 Subject: [PATCH 5/6] GUACAMOLE-728: Properly expose JDBC driver values from enums. --- .../MySQLAuthenticationProviderModule.java | 2 +- .../auth/mysql/conf/MySQLSSLMode.java | 39 ++++++++++++++++--- ...ostgreSQLAuthenticationProviderModule.java | 4 +- .../postgresql/conf/PostgreSQLSSLMode.java | 36 +++++++---------- 4 files changed, 51 insertions(+), 30 deletions(-) diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLAuthenticationProviderModule.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLAuthenticationProviderModule.java index f2908ee66..5dead1545 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLAuthenticationProviderModule.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLAuthenticationProviderModule.java @@ -86,7 +86,7 @@ public class MySQLAuthenticationProviderModule implements Module { // Set the SSL mode to use when conncting MySQLSSLMode sslMode = environment.getMySQLSSLMode(); - driverProperties.setProperty("sslMode", sslMode.toString()); + driverProperties.setProperty("sslMode", sslMode.getDriverValue()); // Set legacy properties if (sslMode == MySQLSSLMode.DISABLED) diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLSSLMode.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLSSLMode.java index a95bb556d..0820150c6 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLSSLMode.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLSSLMode.java @@ -30,31 +30,60 @@ public enum MySQLSSLMode { * Do not use SSL at all. */ @PropertyValue("disabled") - DISABLED, + DISABLED("disabled"), /** * Prefer SSL, but fall back to unencrypted. */ @PropertyValue("preferred") - PREFERRED, + PREFERRED("preferred"), /** * Require SSL, but perform no certificate validation. */ @PropertyValue("required") - REQUIRED, + REQUIRED("required"), /** * Require SSL, and validate server certificate issuer. */ @PropertyValue("verify-ca") - VERIFY_CA, + VERIFY_CA("verify-ca"), /** * Require SSL and validate both server certificate issuer and server * identity. */ @PropertyValue("verify-identity") - VERIFY_IDENTITY; + VERIFY_IDENTITY("verify-identity"); + + /** + * The value expected by and passed on to the JDBC driver for the given + * SSL operation mode. + */ + private final String driverValue; + + /** + * Create a new instance of this enum with the given driverValue as the + * value that will be used when configuring the JDBC driver. + * + * @param driverValue + * The value to use when configuring the JDBC driver. + */ + MySQLSSLMode(String driverValue) { + this.driverValue = driverValue; + } + + /** + * Returns the String value for a given Enum that properly configures the + * JDBC driver for the desired mode of SSL operation. + * + * @return + * The String value for the current Enum that configures the JDBC driver + * for the desired mode of SSL operation. + */ + public String getDriverValue() { + return driverValue; + } } diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLAuthenticationProviderModule.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLAuthenticationProviderModule.java index e65abb82f..67fafe452 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLAuthenticationProviderModule.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLAuthenticationProviderModule.java @@ -75,10 +75,12 @@ public class PostgreSQLAuthenticationProviderModule implements Module { // Check the SSL mode and set if configured. PostgreSQLSSLMode sslMode = environment.getPostgreSQLSSLMode(); - driverProperties.setProperty("sslmode", sslMode.toString()); + driverProperties.setProperty("sslmode", sslMode.getDriverValue()); // If SSL is enabled, check for and set other SSL properties. if (sslMode != PostgreSQLSSLMode.DISABLE) { + + // Sets the legacy SSL configuration mode required by older servers. driverProperties.setProperty("ssl", "true"); File sslClientCert = environment.getPostgreSQLSSLClientCertFile(); diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLSSLMode.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLSSLMode.java index 709308ef8..7a467f4c4 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLSSLMode.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLSSLMode.java @@ -63,42 +63,32 @@ public enum PostgreSQLSSLMode { VERIFY_FULL("verify-full"); /** - * The value actually passed on to the JDBC driver. + * The value expected by and passed on to the JDBC driver for the given + * SSL operation mode. */ - private final String configValue; + private final String driverValue; /** - * Create a new instance of this enum with the given configValue as the + * Create a new instance of this enum with the given driverValue as the * value that will be used when configuring the JDBC driver. * - * @param configValue + * @param driverValue * The value to use when configuring the JDBC driver. */ - PostgreSQLSSLMode(String configValue) { - this.configValue = configValue; - } - - @Override - public String toString() { - return configValue; + PostgreSQLSSLMode(String driverValue) { + this.driverValue = driverValue; } /** - * Given the String value, determine the correct enum value that matches - * the string, or null if there is no match. - * - * @param value - * The String value to test to find a match. + * Returns the String value for a given Enum that properly configures the + * JDBC driver for the desired mode of SSL operation. * * @return - * The enum value matching the given String. + * The String value for the current Enum that configures the JDBC driver + * for the desired mode of SSL operation. */ - public static PostgreSQLSSLMode getValue(String value) { - for (PostgreSQLSSLMode mode : PostgreSQLSSLMode.values()) { - if (mode.toString().equals(value)) - return mode; - } - return null; + public String getDriverValue() { + return driverValue; } } From f06056b4e48b3794e6a7d5a54d0cf88ba6537d70 Mon Sep 17 00:00:00 2001 From: Virtually Nick Date: Tue, 16 Jun 2020 14:50:44 -0400 Subject: [PATCH 6/6] GUACAMOLE-728: Use correct sslMode options for passing to JDBC driver. --- .../auth/mysql/MySQLAuthenticationProviderModule.java | 1 - .../apache/guacamole/auth/mysql/conf/MySQLSSLMode.java | 10 +++++----- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLAuthenticationProviderModule.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLAuthenticationProviderModule.java index 5dead1545..aca3f422d 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLAuthenticationProviderModule.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLAuthenticationProviderModule.java @@ -23,7 +23,6 @@ import com.google.inject.Binder; import com.google.inject.Module; import com.google.inject.name.Names; import java.io.File; -import java.net.URI; import java.util.Properties; import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.auth.mysql.conf.MySQLDriver; diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLSSLMode.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLSSLMode.java index 0820150c6..72dcd311e 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLSSLMode.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLSSLMode.java @@ -30,32 +30,32 @@ public enum MySQLSSLMode { * Do not use SSL at all. */ @PropertyValue("disabled") - DISABLED("disabled"), + DISABLED("DISABLED"), /** * Prefer SSL, but fall back to unencrypted. */ @PropertyValue("preferred") - PREFERRED("preferred"), + PREFERRED("PREFERRED"), /** * Require SSL, but perform no certificate validation. */ @PropertyValue("required") - REQUIRED("required"), + REQUIRED("REQUIRED"), /** * Require SSL, and validate server certificate issuer. */ @PropertyValue("verify-ca") - VERIFY_CA("verify-ca"), + VERIFY_CA("VERIFY_CA"), /** * Require SSL and validate both server certificate issuer and server * identity. */ @PropertyValue("verify-identity") - VERIFY_IDENTITY("verify-identity"); + VERIFY_IDENTITY("VERIFY_IDENTITY"); /** * The value expected by and passed on to the JDBC driver for the given