diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLAuthenticationProviderModule.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLAuthenticationProviderModule.java index dc57ff700..e65abb82f 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLAuthenticationProviderModule.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLAuthenticationProviderModule.java @@ -22,8 +22,11 @@ package org.apache.guacamole.auth.postgresql; import com.google.inject.Binder; import com.google.inject.Module; import com.google.inject.name.Names; +import java.io.File; import java.util.Properties; import org.apache.guacamole.GuacamoleException; +import org.apache.guacamole.auth.postgresql.conf.PostgreSQLEnvironment; +import org.apache.guacamole.auth.postgresql.conf.PostgreSQLSSLMode; import org.mybatis.guice.datasource.helper.JdbcHelper; /** @@ -69,6 +72,32 @@ public class PostgreSQLAuthenticationProviderModule implements Module { // Use UTF-8 in database driverProperties.setProperty("characterEncoding", "UTF-8"); + + // Check the SSL mode and set if configured. + PostgreSQLSSLMode sslMode = environment.getPostgreSQLSSLMode(); + driverProperties.setProperty("sslmode", sslMode.toString()); + + // If SSL is enabled, check for and set other SSL properties. + if (sslMode != PostgreSQLSSLMode.DISABLE) { + driverProperties.setProperty("ssl", "true"); + + File sslClientCert = environment.getPostgreSQLSSLClientCertFile(); + if (sslClientCert != null) + driverProperties.setProperty("sslcert", sslClientCert.getAbsolutePath()); + + File sslClientKey = environment.getPostgreSQLSSLClientKeyFile(); + if (sslClientKey != null) + driverProperties.setProperty("sslkey", sslClientKey.getAbsolutePath()); + + File sslRootCert = environment.getPostgreSQLSSLClientRootCertFile(); + if (sslRootCert != null) + driverProperties.setProperty("sslrootcert", sslRootCert.getAbsolutePath()); + + String sslClientKeyPassword = environment.getPostgreSQLSSLClientKeyPassword(); + if (sslClientKeyPassword != null) + driverProperties.setProperty("sslpassword", sslClientKeyPassword); + + } } diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLInjectorProvider.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLInjectorProvider.java index ae8f88fe8..f04ff7448 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLInjectorProvider.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLInjectorProvider.java @@ -24,6 +24,7 @@ import com.google.inject.Injector; import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.auth.jdbc.JDBCAuthenticationProviderModule; import org.apache.guacamole.auth.jdbc.JDBCInjectorProvider; +import org.apache.guacamole.auth.postgresql.conf.PostgreSQLEnvironment; /** * JDBCInjectorProvider implementation which configures Guice injections for diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLEnvironment.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLEnvironment.java similarity index 74% rename from extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLEnvironment.java rename to extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLEnvironment.java index 4ac99e8d1..24e286e5a 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLEnvironment.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLEnvironment.java @@ -17,8 +17,9 @@ * under the License. */ -package org.apache.guacamole.auth.postgresql; +package org.apache.guacamole.auth.postgresql.conf; +import java.io.File; import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.auth.jdbc.JDBCEnvironment; import org.slf4j.Logger; @@ -96,6 +97,11 @@ public class PostgreSQLEnvironment extends JDBCEnvironment { * the values that should be used in the absence of the correct properties. */ private final int DEFAULT_MAX_GROUP_CONNECTIONS = 0; + + /** + * The default value to use for SSL mode if none is explicitly configured. + */ + private final PostgreSQLSSLMode DEFAULT_SSL_MODE = PostgreSQLSSLMode.DISABLE; /** * Constructs a new PostgreSQLEnvironment, providing access to PostgreSQL-specific @@ -249,4 +255,77 @@ public class PostgreSQLEnvironment extends JDBCEnvironment { return true; // All versions of PostgreSQL support recursive queries through CTEs } + /** + * Get the SSL mode to use to make the JDBC connection to the PostgreSQL + * server. If unspecified this will default to disabling SSL. + * + * @return + * The enum value of the SSL mode to use to make the JDBC connection + * to the server. + * + * @throws GuacamoleException + * If an error occurs retrieving the value from guacamole.properties. + */ + public PostgreSQLSSLMode getPostgreSQLSSLMode() throws GuacamoleException { + return getProperty(PostgreSQLGuacamoleProperties.POSTGRESQL_SSL_MODE, + DEFAULT_SSL_MODE); + } + + /** + * Return the SSL client certificate file to use to make the connection + * to the PostgreSQL server. + * + * @return + * The SSL client certificate file to use for the PostgreSQL connection. + * + * @throws GuacamoleException + * If an error occurs retrieving the value from guacamole.properties. + */ + public File getPostgreSQLSSLClientCertFile() throws GuacamoleException { + return getProperty(PostgreSQLGuacamoleProperties.POSTGRESQL_SSL_CERT_FILE); + } + + /** + * Return the SSL client private key file to use to make the connection to the + * PostgreSQL server. + * + * @return + * The SSL client private key file to use for the PostgreSQL connection. + * @throws GuacamoleException + * If an error occurs retrieving the value from guacamole.properties. + */ + public File getPostgreSQLSSLClientKeyFile() throws GuacamoleException { + return getProperty(PostgreSQLGuacamoleProperties.POSTGRESQL_SSL_KEY_FILE); + } + + /** + * Return the SSL client root certificate file to use to make the connection + * to the PostgreSQL server. + * + * @return + * The SSL client root certificate file to use to make the connection + * to the PostgreSQL server. + * + * @throws GuacamoleException + * If an error occurs retrieving the value from guacamole.properties. + */ + public File getPostgreSQLSSLClientRootCertFile() throws GuacamoleException { + return getProperty(PostgreSQLGuacamoleProperties.POSTGRESQL_SSL_ROOT_CERT_FILE); + } + + /** + * Return the password to use to decrypt the private SSL key file when making + * the connection to the PostgreSQL server. + * + * @return + * The password to use to decrypt the private SSL key file when making + * the connection to the PostgreSQL server. + * + * @throws GuacamoleException + * If an error occurs retrieving the value from guacamole.properties. + */ + public String getPostgreSQLSSLClientKeyPassword() throws GuacamoleException { + return getProperty(PostgreSQLGuacamoleProperties.POSTGRESQL_SSL_KEY_PASSWORD); + } + } diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLGuacamoleProperties.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLGuacamoleProperties.java similarity index 72% rename from extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLGuacamoleProperties.java rename to extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLGuacamoleProperties.java index 971165141..afd77140e 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLGuacamoleProperties.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLGuacamoleProperties.java @@ -17,9 +17,10 @@ * under the License. */ -package org.apache.guacamole.auth.postgresql; +package org.apache.guacamole.auth.postgresql.conf; import org.apache.guacamole.properties.BooleanGuacamoleProperty; +import org.apache.guacamole.properties.FileGuacamoleProperty; import org.apache.guacamole.properties.IntegerGuacamoleProperty; import org.apache.guacamole.properties.StringGuacamoleProperty; @@ -170,5 +171,65 @@ public class PostgreSQLGuacamoleProperties { public String getName() { return "postgresql-default-max-group-connections-per-user"; } }; - + + /** + * The SSL mode that should be used by the JDBC driver when making + * connections to the remote server. By default SSL will be disabled. + */ + public static final PostgreSQLSSLProperty POSTGRESQL_SSL_MODE = + new PostgreSQLSSLProperty() { + + @Override + public String getName() { return "postgresql-ssl-mode"; } + + }; + + /** + * The client SSL certificate file used by the JDBC driver to make the + * SSL connection. + */ + public static final FileGuacamoleProperty POSTGRESQL_SSL_CERT_FILE = + new FileGuacamoleProperty() { + + @Override + public String getName() { return "postgresql-ssl-cert-file"; } + + }; + + /** + * The client SSL private key file used by the JDBC driver to make the + * SSL connection. + */ + public static final FileGuacamoleProperty POSTGRESQL_SSL_KEY_FILE = + new FileGuacamoleProperty() { + + @Override + public String getName() { return "postgresql-ssl-key-file"; } + + }; + + /** + * The client SSL root certificate file used by the JDBC driver to validate + * certificates when making the SSL connection. + */ + public static final FileGuacamoleProperty POSTGRESQL_SSL_ROOT_CERT_FILE = + new FileGuacamoleProperty() { + + @Override + public String getName() { return "postgresql-ssl-root-cert-file"; } + + }; + + /** + * The password of the SSL private key used by the JDBC driver to make + * the SSL connection to the PostgreSQL server. + */ + public static final StringGuacamoleProperty POSTGRESQL_SSL_KEY_PASSWORD = + new StringGuacamoleProperty() { + + @Override + public String getName() { return "postgresql-ssl-key-password"; } + + }; + } diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLPasswordPolicy.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLPasswordPolicy.java similarity index 99% rename from extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLPasswordPolicy.java rename to extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLPasswordPolicy.java index b35507df9..7f2a36a29 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLPasswordPolicy.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLPasswordPolicy.java @@ -17,7 +17,7 @@ * under the License. */ -package org.apache.guacamole.auth.postgresql; +package org.apache.guacamole.auth.postgresql.conf; import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.auth.jdbc.JDBCEnvironment; diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLSSLMode.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLSSLMode.java new file mode 100644 index 000000000..e9c75b9ab --- /dev/null +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLSSLMode.java @@ -0,0 +1,82 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.guacamole.auth.postgresql.conf; + +/** + * Possible values for PostgreSQL SSL connectivity. + */ +public enum PostgreSQLSSLMode { + + // Do not use SSL to connect to server. + DISABLE("disable"), + + // Allow SSL connections, but try non-SSL, first. + ALLOW("allow"), + + // Prefer SSL connections, falling back to non-SSL if that fails. + PREFER("prefer"), + + // Require SSL connections, do not connect if SSL fails. + REQUIRE("require"), + + // Require SSL connections and validate the CA certificate. + VERIFY_CA("verify-ca"), + + // Require SSL connections and validate both the CA and server certificates. + VERIFY_FULL("verify-full"); + + // The value actually passed on to the JDBC driver. + private String configValue; + + /** + * Create a new instance of this enum with the given configValue as the + * value that will be used when configuring the JDBC driver. + * + * @param configValue + * The value to use when configuring the JDBC driver. + */ + PostgreSQLSSLMode(String configValue) { + this.configValue = configValue; + } + + @Override + public String toString() { + return configValue; + } + + /** + * Given the String value, determine the correct enum value that matches + * the string, or null if there is no match. + * + * @param value + * The String value to test to find a match. + * + * @return + * The enum value matching the given String. + */ + public static PostgreSQLSSLMode getValue(String value) { + for (PostgreSQLSSLMode mode : PostgreSQLSSLMode.values()) { + if (mode.toString().equals(value)) + return mode; + } + return null; + } + +} diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLSSLProperty.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLSSLProperty.java new file mode 100644 index 000000000..b014605ef --- /dev/null +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLSSLProperty.java @@ -0,0 +1,47 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.guacamole.auth.postgresql.conf; + +import org.apache.guacamole.GuacamoleException; +import org.apache.guacamole.GuacamoleServerException; +import org.apache.guacamole.properties.GuacamoleProperty; + +/** + * + * @author nick_couchman + */ +public abstract class PostgreSQLSSLProperty + implements GuacamoleProperty { + + @Override + public PostgreSQLSSLMode parseValue(String value) throws GuacamoleException { + + if (value == null) + return null; + + PostgreSQLSSLMode mode = PostgreSQLSSLMode.getValue(value); + if (mode != null) + return mode; + + throw new GuacamoleServerException("Invalid PostgreSQL SSL mode configured."); + + } + +}