GUACAMOLE-728: Add PostgreSQL SSL mode configuration.

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLAuthenticationProviderModule.java

@@ -22,8 +22,11 @@ package org.apache.guacamole.auth.postgresql;
 import com.google.inject.Binder;
 import com.google.inject.Module;
 import com.google.inject.name.Names;
+import java.io.File;
 import java.util.Properties;
 import org.apache.guacamole.GuacamoleException;
+import org.apache.guacamole.auth.postgresql.conf.PostgreSQLEnvironment;
+import org.apache.guacamole.auth.postgresql.conf.PostgreSQLSSLMode;
 import org.mybatis.guice.datasource.helper.JdbcHelper;
 
 /**
@@ -69,6 +72,32 @@ public class PostgreSQLAuthenticationProviderModule implements Module {
 
         // Use UTF-8 in database
         driverProperties.setProperty("characterEncoding", "UTF-8");
+        
+        // Check the SSL mode and set if configured.
+        PostgreSQLSSLMode sslMode = environment.getPostgreSQLSSLMode();
+        driverProperties.setProperty("sslmode", sslMode.toString());
+        
+        // If SSL is enabled, check for and set other SSL properties.
+        if (sslMode != PostgreSQLSSLMode.DISABLE) {
+            driverProperties.setProperty("ssl", "true");
+
+            File sslClientCert = environment.getPostgreSQLSSLClientCertFile();
+            if (sslClientCert != null)
+                driverProperties.setProperty("sslcert", sslClientCert.getAbsolutePath());
+            
+            File sslClientKey = environment.getPostgreSQLSSLClientKeyFile();
+            if (sslClientKey != null)
+                driverProperties.setProperty("sslkey", sslClientKey.getAbsolutePath());
+            
+            File sslRootCert = environment.getPostgreSQLSSLClientRootCertFile();
+            if (sslRootCert != null)
+                driverProperties.setProperty("sslrootcert", sslRootCert.getAbsolutePath());
+            
+            String sslClientKeyPassword = environment.getPostgreSQLSSLClientKeyPassword();
+            if (sslClientKeyPassword != null)
+                driverProperties.setProperty("sslpassword", sslClientKeyPassword);
+            
+        }
 
     }
 

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLInjectorProvider.java

@@ -24,6 +24,7 @@ import com.google.inject.Injector;
 import org.apache.guacamole.GuacamoleException;
 import org.apache.guacamole.auth.jdbc.JDBCAuthenticationProviderModule;
 import org.apache.guacamole.auth.jdbc.JDBCInjectorProvider;
+import org.apache.guacamole.auth.postgresql.conf.PostgreSQLEnvironment;
 
 /**
  * JDBCInjectorProvider implementation which configures Guice injections for

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLEnvironment.java

@@ -17,8 +17,9 @@
  * under the License.
  */
 
-package org.apache.guacamole.auth.postgresql;
+package org.apache.guacamole.auth.postgresql.conf;
 
+import java.io.File;
 import org.apache.guacamole.GuacamoleException;
 import org.apache.guacamole.auth.jdbc.JDBCEnvironment;
 import org.slf4j.Logger;
@@ -96,6 +97,11 @@ public class PostgreSQLEnvironment extends JDBCEnvironment {
      * the values that should be used in the absence of the correct properties.
      */
     private final int DEFAULT_MAX_GROUP_CONNECTIONS = 0;
+    
+    /**
+     * The default value to use for SSL mode if none is explicitly configured.
+     */
+    private final PostgreSQLSSLMode DEFAULT_SSL_MODE = PostgreSQLSSLMode.DISABLE;
 
     /**
      * Constructs a new PostgreSQLEnvironment, providing access to PostgreSQL-specific
@@ -249,4 +255,77 @@ public class PostgreSQLEnvironment extends JDBCEnvironment {
         return true; // All versions of PostgreSQL support recursive queries through CTEs
     }
     
+    /**
+     * Get the SSL mode to use to make the JDBC connection to the PostgreSQL
+     * server.  If unspecified this will default to disabling SSL.
+     * 
+     * @return
+     *     The enum value of the SSL mode to use to make the JDBC connection
+     *     to the server.
+     * 
+     * @throws GuacamoleException 
+     *     If an error occurs retrieving the value from guacamole.properties.
+     */
+    public PostgreSQLSSLMode getPostgreSQLSSLMode() throws GuacamoleException {
+        return getProperty(PostgreSQLGuacamoleProperties.POSTGRESQL_SSL_MODE,
+                DEFAULT_SSL_MODE);
+    }
+    
+    /**
+     * Return the SSL client certificate file to use to make the connection
+     * to the PostgreSQL server.
+     * 
+     * @return
+     *     The SSL client certificate file to use for the PostgreSQL connection.
+     * 
+     * @throws GuacamoleException
+     *     If an error occurs retrieving the value from guacamole.properties.
+     */
+    public File getPostgreSQLSSLClientCertFile() throws GuacamoleException {
+        return getProperty(PostgreSQLGuacamoleProperties.POSTGRESQL_SSL_CERT_FILE);
+    }
+    
+    /**
+     * Return the SSL client private key file to use to make the connection to the
+     * PostgreSQL server.
+     * 
+     * @return
+     *     The SSL client private key file to use for the PostgreSQL connection.
+     * @throws GuacamoleException 
+     *     If an error occurs retrieving the value from guacamole.properties.
+     */
+    public File getPostgreSQLSSLClientKeyFile() throws GuacamoleException {
+        return getProperty(PostgreSQLGuacamoleProperties.POSTGRESQL_SSL_KEY_FILE);
+    }
+    
+    /**
+     * Return the SSL client root certificate file to use to make the connection
+     * to the PostgreSQL server.
+     * 
+     * @return
+     *     The SSL client root certificate file to use to make the connection
+     *     to the PostgreSQL server.
+     * 
+     * @throws GuacamoleException 
+     *     If an error occurs retrieving the value from guacamole.properties.
+     */
+    public File getPostgreSQLSSLClientRootCertFile() throws GuacamoleException {
+        return getProperty(PostgreSQLGuacamoleProperties.POSTGRESQL_SSL_ROOT_CERT_FILE);
+    }
+    
+    /**
+     * Return the password to use to decrypt the private SSL key file when making
+     * the connection to the PostgreSQL server.
+     * 
+     * @return
+     *     The password to use to decrypt the private SSL key file when making
+     *     the connection to the PostgreSQL server.
+     * 
+     * @throws GuacamoleException 
+     *     If an error occurs retrieving the value from guacamole.properties.
+     */
+    public String getPostgreSQLSSLClientKeyPassword() throws GuacamoleException {
+        return getProperty(PostgreSQLGuacamoleProperties.POSTGRESQL_SSL_KEY_PASSWORD);
+    }
+    
 }

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLGuacamoleProperties.java

@@ -17,9 +17,10 @@
  * under the License.
  */
 
-package org.apache.guacamole.auth.postgresql;
+package org.apache.guacamole.auth.postgresql.conf;
 
 import org.apache.guacamole.properties.BooleanGuacamoleProperty;
+import org.apache.guacamole.properties.FileGuacamoleProperty;
 import org.apache.guacamole.properties.IntegerGuacamoleProperty;
 import org.apache.guacamole.properties.StringGuacamoleProperty;
 
@@ -170,5 +171,65 @@ public class PostgreSQLGuacamoleProperties {
         public String getName() { return "postgresql-default-max-group-connections-per-user"; }
 
     };
-
+    
+    /**
+     * The SSL mode that should be used by the JDBC driver when making
+     * connections to the remote server.  By default SSL will be disabled.
+     */
+    public static final PostgreSQLSSLProperty POSTGRESQL_SSL_MODE =
+            new PostgreSQLSSLProperty() {
+        
+        @Override
+        public String getName() { return "postgresql-ssl-mode"; }
+        
+    };
+    
+    /**
+     * The client SSL certificate file used by the JDBC driver to make the
+     * SSL connection.
+     */
+    public static final FileGuacamoleProperty POSTGRESQL_SSL_CERT_FILE =
+            new FileGuacamoleProperty() {
+             
+        @Override
+        public String getName() { return "postgresql-ssl-cert-file"; }
+                
+    };
+    
+    /**
+     * The client SSL private key file used by the JDBC driver to make the
+     * SSL connection.
+     */
+    public static final FileGuacamoleProperty POSTGRESQL_SSL_KEY_FILE =
+            new FileGuacamoleProperty() {
+    
+        @Override
+        public String getName() { return "postgresql-ssl-key-file"; }
+        
+    };
+    
+    /**
+     * The client SSL root certificate file used by the JDBC driver to validate
+     * certificates when making the SSL connection.
+     */
+    public static final FileGuacamoleProperty POSTGRESQL_SSL_ROOT_CERT_FILE =
+            new FileGuacamoleProperty() {
+        
+        @Override
+        public String getName() { return "postgresql-ssl-root-cert-file"; }
+        
+    };
+    
+    /**
+     * The password of the SSL private key used by the JDBC driver to make
+     * the SSL connection to the PostgreSQL server.
+     */
+    public static final StringGuacamoleProperty POSTGRESQL_SSL_KEY_PASSWORD =
+            new StringGuacamoleProperty() {
+        
+        @Override
+        public String getName() { return "postgresql-ssl-key-password"; }
+        
+    };
+    
 }

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLPasswordPolicy.java

@@ -17,7 +17,7 @@
  * under the License.
  */
 
-package org.apache.guacamole.auth.postgresql;
+package org.apache.guacamole.auth.postgresql.conf;
 
 import org.apache.guacamole.GuacamoleException;
 import org.apache.guacamole.auth.jdbc.JDBCEnvironment;

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLSSLMode.java

@@ -0,0 +1,82 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.auth.postgresql.conf;
+
+/**
+ * Possible values for PostgreSQL SSL connectivity.
+ */
+public enum PostgreSQLSSLMode {
+    
+    // Do not use SSL to connect to server.
+    DISABLE("disable"),
+    
+    // Allow SSL connections, but try non-SSL, first.
+    ALLOW("allow"),
+    
+    // Prefer SSL connections, falling back to non-SSL if that fails.
+    PREFER("prefer"),
+    
+    // Require SSL connections, do not connect if SSL fails.
+    REQUIRE("require"),
+    
+    // Require SSL connections and validate the CA certificate.
+    VERIFY_CA("verify-ca"),
+    
+    // Require SSL connections and validate both the CA and server certificates.
+    VERIFY_FULL("verify-full");
+    
+    // The value actually passed on to the JDBC driver.
+    private String configValue;
+    
+    /**
+     * Create a new instance of this enum with the given configValue as the
+     * value that will be used when configuring the JDBC driver.
+     * 
+     * @param configValue
+     *     The value to use when configuring the JDBC driver.
+     */
+    PostgreSQLSSLMode(String configValue) {
+        this.configValue = configValue;
+    }
+    
+    @Override
+    public String toString() {
+        return configValue;
+    }
+    
+    /**
+     * Given the String value, determine the correct enum value that matches
+     * the string, or null if there is no match.
+     * 
+     * @param value
+     *     The String value to test to find a match.
+     * 
+     * @return 
+     *     The enum value matching the given String.
+     */
+    public static PostgreSQLSSLMode getValue(String value) {
+        for (PostgreSQLSSLMode mode : PostgreSQLSSLMode.values()) {
+            if (mode.toString().equals(value))
+                return mode;
+        }
+        return null;
+    }
+    
+}

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLSSLProperty.java

@@ -0,0 +1,47 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.auth.postgresql.conf;
+
+import org.apache.guacamole.GuacamoleException;
+import org.apache.guacamole.GuacamoleServerException;
+import org.apache.guacamole.properties.GuacamoleProperty;
+
+/**
+ *
+ * @author nick_couchman
+ */
+public abstract class PostgreSQLSSLProperty
+        implements GuacamoleProperty<PostgreSQLSSLMode> {
+    
+    @Override
+    public PostgreSQLSSLMode parseValue(String value) throws GuacamoleException {
+        
+        if (value == null)
+            return null;
+        
+        PostgreSQLSSLMode mode = PostgreSQLSSLMode.getValue(value);
+        if (mode != null)
+            return mode;
+        
+        throw new GuacamoleServerException("Invalid PostgreSQL SSL mode configured.");
+        
+    }
+    
+}