safebox/guacamole-client
4
0
Fork 0
mirror of https://github.com/gyurix1968/guacamole-client.git synced 2025-09-06 05:07:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

GUACAMOLE-579: Merge support for retrieving user attributes CAS.

Browse Source
This commit is contained in:
Mike Jumper
2019-06-23 19:20:14 -07:00
committed by GitHub
parent 82ea1d6ff5 9c26a7613c
commit f5aa986e63
11 changed files with 209 additions and 114 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/AuthenticationProviderService.java
View File

@@ -22,6 +22,7 @@ package org.apache.guacamole.auth.cas;
import com.google.inject.Inject;
import com.google.inject.Provider;
import java.util.Arrays;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import org.apache.guacamole.form.Field;
import org.apache.guacamole.GuacamoleException;
@@ -31,7 +32,7 @@ import org.apache.guacamole.net.auth.credentials.GuacamoleInvalidCredentialsExce
import org.apache.guacamole.auth.cas.conf.ConfigurationService;
import org.apache.guacamole.auth.cas.form.CASTicketField;
import org.apache.guacamole.auth.cas.ticket.TicketValidationService;
import org.apache.guacamole.auth.cas.user.AuthenticatedUser;
import org.apache.guacamole.auth.cas.user.CASAuthenticatedUser;
/**
* Service providing convenience functions for the CAS AuthenticationProvider
@@ -55,7 +56,7 @@ public class AuthenticationProviderService {
* Provider for AuthenticatedUser objects.
*/
@Inject
private Provider<AuthenticatedUser> authenticatedUserProvider;
private Provider<CASAuthenticatedUser> authenticatedUserProvider;
/**
* Returns an AuthenticatedUser representing the user authenticated by the
@@ -65,14 +66,14 @@ public class AuthenticationProviderService {
* The credentials to use for authentication.
*
* @return
* An AuthenticatedUser representing the user authenticated by the
* A CASAuthenticatedUser representing the user authenticated by the
* given credentials.
*
* @throws GuacamoleException
* If an error occurs while authenticating the user, or if access is
* denied.
*/
public AuthenticatedUser authenticateUser(Credentials credentials)
public CASAuthenticatedUser authenticateUser(Credentials credentials)
throws GuacamoleException {
// Pull CAS ticket from request if present
@@ -80,10 +81,11 @@ public class AuthenticationProviderService {
if (request != null) {
String ticket = request.getParameter(CASTicketField.PARAMETER_NAME);
if (ticket != null) {
String username = ticketService.validateTicket(ticket, credentials);
Map<String, String> tokens = ticketService.validateTicket(ticket, credentials);
String username = credentials.getUsername();
if (username != null) {
AuthenticatedUser authenticatedUser = authenticatedUserProvider.get();
authenticatedUser.init(username, credentials);
CASAuthenticatedUser authenticatedUser = authenticatedUserProvider.get();
authenticatedUser.init(username, credentials, tokens);
return authenticatedUser;
}
}

15
extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/CASAuthenticationProvider.java
View File

@@ -22,9 +22,12 @@ package org.apache.guacamole.auth.cas;
import com.google.inject.Guice;
import com.google.inject.Injector;
import org.apache.guacamole.GuacamoleException;
import org.apache.guacamole.auth.cas.user.CASAuthenticatedUser;
import org.apache.guacamole.net.auth.AbstractAuthenticationProvider;
import org.apache.guacamole.net.auth.AuthenticatedUser;
import org.apache.guacamole.net.auth.Credentials;
import org.apache.guacamole.net.auth.TokenInjectingUserContext;
import org.apache.guacamole.net.auth.UserContext;
/**
* Guacamole authentication backend which authenticates users using an
@@ -71,5 +74,17 @@ public class CASAuthenticationProvider extends AbstractAuthenticationProvider {
return authProviderService.authenticateUser(credentials);
}
@Override
public UserContext decorate(UserContext context,
AuthenticatedUser authenticatedUser, Credentials credentials)
throws GuacamoleException {
if (!(authenticatedUser instanceof CASAuthenticatedUser))
return context;
return new TokenInjectingUserContext(context,
((CASAuthenticatedUser) authenticatedUser).getTokens());
}
}

50
extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/ticket/TicketValidationService.java
View File

@@ -28,13 +28,16 @@ import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import java.nio.charset.Charset;
import java.util.HashMap;
import java.util.Map;
import java.util.Map.Entry;
import javax.xml.bind.DatatypeConverter;
import org.apache.guacamole.GuacamoleException;
import org.apache.guacamole.GuacamoleSecurityException;
import org.apache.guacamole.GuacamoleServerException;
import org.apache.guacamole.auth.cas.conf.ConfigurationService;
import org.apache.guacamole.net.auth.Credentials;
import org.apache.guacamole.net.auth.credentials.CredentialsInfo;
import org.apache.guacamole.net.auth.credentials.GuacamoleInvalidCredentialsException;
import org.apache.guacamole.token.TokenName;
import org.jasig.cas.client.authentication.AttributePrincipal;
import org.jasig.cas.client.validation.Assertion;
import org.jasig.cas.client.validation.Cas20ProxyTicketValidator;
@@ -52,6 +55,11 @@ public class TicketValidationService {
* Logger for this class.
*/
private static final Logger logger = LoggerFactory.getLogger(TicketValidationService.class);
/**
* The prefix to use when generating token names.
*/
public static final String CAS_ATTRIBUTE_TOKEN_PREFIX = "CAS_";
/**
* Service for retrieving CAS configuration information.
@@ -60,9 +68,9 @@ public class TicketValidationService {
private ConfigurationService confService;
/**
* Validates and parses the given ID ticket, returning the username
* provided by the CAS server in the ticket. If the
* ticket is invalid an exception is thrown.
* Validates and parses the given ID ticket, returning a map of all
* available tokens for the given user based on attributes provided by the
* CAS server. If the ticket is invalid an exception is thrown.
*
* @param ticket
* The ID ticket to validate and parse.
@@ -72,13 +80,15 @@ public class TicketValidationService {
* password values in.
*
* @return
* The username derived from the ticket.
* A Map all of tokens for the user parsed from attributes returned
* by the CAS server.
*
* @throws GuacamoleException
* If the ID ticket is not valid or guacamole.properties could
* not be parsed.
*/
public String validateTicket(String ticket, Credentials credentials) throws GuacamoleException {
public Map<String, String> validateTicket(String ticket,
Credentials credentials) throws GuacamoleException {
// Retrieve the configured CAS URL, establish a ticket validator,
// and then attempt to validate the supplied ticket. If that succeeds,
@@ -88,33 +98,43 @@ public class TicketValidationService {
validator.setAcceptAnyProxy(true);
validator.setEncoding("UTF-8");
try {
Map<String, String> tokens = new HashMap<>();
String confRedirectURI = confService.getRedirectURI();
Assertion a = validator.validate(ticket, confRedirectURI);
AttributePrincipal principal = a.getPrincipal();
Map<String, Object> ticketAttrs =
new HashMap<>(principal.getAttributes());
// Retrieve username and set the credentials.
String username = principal.getName();
if (username != null)
credentials.setUsername(username);
if (username == null)
throw new GuacamoleSecurityException("No username provided by CAS.");
credentials.setUsername(username);
// Retrieve password, attempt decryption, and set credentials.
Object credObj = principal.getAttributes().get("credential");
Object credObj = ticketAttrs.remove("credential");
if (credObj != null) {
String clearPass = decryptPassword(credObj.toString());
if (clearPass != null && !clearPass.isEmpty())
credentials.setPassword(clearPass);
}
// Convert remaining attributes that have values to Strings
for (Entry <String, Object> attr : ticketAttrs.entrySet()) {
String tokenName = TokenName.canonicalize(attr.getKey(),
CAS_ATTRIBUTE_TOKEN_PREFIX);
Object value = attr.getValue();
if (value != null)
tokens.put(tokenName, value.toString());
}
return username;
return tokens;
}
catch (TicketValidationException e) {
throw new GuacamoleException("Ticket validation failed.", e);
}
catch (Throwable t) {
logger.error("Error validating ticket with CAS server: {}", t.getMessage());
throw new GuacamoleInvalidCredentialsException("CAS login failed.", CredentialsInfo.USERNAME_PASSWORD);
}
}

43
extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/user/AuthenticatedUser.java → extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/user/CASAuthenticatedUser.java
View File

@@ -20,6 +20,8 @@
package org.apache.guacamole.auth.cas.user;
import com.google.inject.Inject;
import java.util.Collections;
import java.util.Map;
import org.apache.guacamole.net.auth.AbstractAuthenticatedUser;
import org.apache.guacamole.net.auth.AuthenticationProvider;
import org.apache.guacamole.net.auth.Credentials;
@@ -29,7 +31,7 @@ import org.apache.guacamole.net.auth.Credentials;
* username and particular set of credentials with the CAS authentication
* provider.
*/
public class AuthenticatedUser extends AbstractAuthenticatedUser {
public class CASAuthenticatedUser extends AbstractAuthenticatedUser {
/**
* Reference to the authentication provider associated with this
@@ -42,10 +44,15 @@ public class AuthenticatedUser extends AbstractAuthenticatedUser {
* The credentials provided when this user was authenticated.
*/
private Credentials credentials;
/**
* Tokens associated with this authenticated user.
*/
private Map<String, String> tokens;
/**
* Initializes this AuthenticatedUser using the given username and
* credentials.
* credentials, and an empty map of parameter tokens.
*
* @param username
* The username of the user that was authenticated.
@@ -54,10 +61,42 @@ public class AuthenticatedUser extends AbstractAuthenticatedUser {
* The credentials provided when this user was authenticated.
*/
public void init(String username, Credentials credentials) {
this.init(username, credentials, Collections.emptyMap());
}
/**
* Initializes this AuthenticatedUser using the given username,
* credentials, and parameter tokens.
*
* @param username
* The username of the user that was authenticated.
*
* @param credentials
* The credentials provided when this user was authenticated.
*
* @param tokens
* A map of all the name/value pairs that should be available
* as tokens when connections are established with this user.
*/
public void init(String username, Credentials credentials,
Map<String, String> tokens) {
this.credentials = credentials;
this.tokens = Collections.unmodifiableMap(tokens);
setIdentifier(username.toLowerCase());
}
/**
* Returns a Map containing the name/value pairs that can be applied
* as parameter tokens when connections are established by the user.
*
* @return
* A Map containing all of the name/value pairs that can be
* used as parameter tokens by this user.
*/
public Map<String, String> getTokens() {
return tokens;
}
@Override
public AuthenticationProvider getAuthenticationProvider() {
return authProvider;

8
extensions/guacamole-auth-ldap/pom.xml
View File

@@ -160,14 +160,6 @@
<version>3.0</version>
</dependency>
<!-- JUnit -->
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.12</version>
<scope>test</scope>
</dependency>
</dependencies>
</project>

13
extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/AuthenticationProviderService.java
View File

@@ -41,6 +41,7 @@ import org.apache.guacamole.net.auth.AuthenticatedUser;
import org.apache.guacamole.net.auth.Credentials;
import org.apache.guacamole.net.auth.credentials.CredentialsInfo;
import org.apache.guacamole.net.auth.credentials.GuacamoleInvalidCredentialsException;
import org.apache.guacamole.token.TokenName;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -53,7 +54,12 @@ public class AuthenticationProviderService {
/**
* Logger for this class.
*/
private final Logger logger = LoggerFactory.getLogger(AuthenticationProviderService.class);
private static final Logger logger = LoggerFactory.getLogger(AuthenticationProviderService.class);
/**
* The prefix that will be used when generating tokens.
*/
public static final String LDAP_ATTRIBUTE_TOKEN_PREFIX = "LDAP_";
/**
* Service for creating and managing connections to LDAP servers.
@@ -294,7 +300,7 @@ public class AuthenticationProviderService {
String[] attrArray = attrList.toArray(new String[attrList.size()]);
String userDN = getUserBindDN(username);
Map<String, String> tokens = new HashMap<String, String>();
Map<String, String> tokens = new HashMap<>();
try {
// Get LDAP attributes by querying LDAP
@@ -309,7 +315,8 @@ public class AuthenticationProviderService {
// Convert each retrieved attribute into a corresponding token
for (Object attrObj : attrSet) {
LDAPAttribute attr = (LDAPAttribute)attrObj;
tokens.put(TokenName.fromAttribute(attr.getName()), attr.getStringValue());
tokens.put(TokenName.canonicalize(attr.getName(),
LDAP_ATTRIBUTE_TOKEN_PREFIX), attr.getStringValue());
}
}

1
extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPConnectionService.java
View File

@@ -28,7 +28,6 @@ import com.novell.ldap.LDAPJSSEStartTLSFactory;
import java.io.UnsupportedEncodingException;
import org.apache.guacamole.GuacamoleException;
import org.apache.guacamole.GuacamoleUnsupportedException;
import org.apache.guacamole.auth.ldap.ReferralAuthHandler;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

9
extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ReferralAuthHandler.java
View File

@@ -19,12 +19,9 @@
package org.apache.guacamole.auth.ldap;
import com.google.inject.Inject;
import com.novell.ldap.LDAPAuthHandler;
import com.novell.ldap.LDAPAuthProvider;
import com.novell.ldap.LDAPConnection;
import java.io.UnsupportedEncodingException;
import org.apache.guacamole.GuacamoleException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -48,6 +45,12 @@ public class ReferralAuthHandler implements LDAPAuthHandler {
* Creates a ReferralAuthHandler object to handle authentication when
* following referrals in a LDAP connection, using the provided dn and
* password.
*
* @param dn
* The distinguished name to use for the referral login.
*
* @param password
* The password to use for the referral login.
*/
public ReferralAuthHandler(String dn, String password) {
byte[] passwordBytes;

53
extensions/guacamole-auth-ldap/src/test/java/org/apache/guacamole/auth/ldap/TokenNameTest.java
View File

@@ -1,53 +0,0 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.guacamole.auth.ldap;
import static org.junit.Assert.assertEquals;
import org.junit.Test;
/**
* Test which verifies automatic generation of LDAP-specific connection
* parameter token names.
*/
public class TokenNameTest {
/**
* Verifies that TokenName.fromAttribute() generates token names as
* specified, regardless of the naming convention of the attribute.
*/
@Test
public void testFromAttribute() {
assertEquals("LDAP_A", TokenName.fromAttribute("a"));
assertEquals("LDAP_B", TokenName.fromAttribute("b"));
assertEquals("LDAP_1", TokenName.fromAttribute("1"));
assertEquals("LDAP_SOME_URL", TokenName.fromAttribute("someURL"));
assertEquals("LDAP_LOWERCASE_WITH_DASHES", TokenName.fromAttribute("lowercase-with-dashes"));
assertEquals("LDAP_HEADLESS_CAMEL_CASE", TokenName.fromAttribute("headlessCamelCase"));
assertEquals("LDAP_CAMEL_CASE", TokenName.fromAttribute("CamelCase"));
assertEquals("LDAP_CAMEL_CASE", TokenName.fromAttribute("CamelCase"));
assertEquals("LDAP_LOWERCASE_WITH_UNDERSCORES", TokenName.fromAttribute("lowercase_with_underscores"));
assertEquals("LDAP_UPPERCASE_WITH_UNDERSCORES", TokenName.fromAttribute("UPPERCASE_WITH_UNDERSCORES"));
assertEquals("LDAP_A_VERY_INCONSISTENT_MIX_OF_ALL_STYLES", TokenName.fromAttribute("aVery-INCONSISTENTMix_ofAllStyles"));
assertEquals("LDAP_ABC_123_DEF_456", TokenName.fromAttribute("abc123def456"));
assertEquals("LDAP_ABC_123_DEF_456", TokenName.fromAttribute("ABC123DEF456"));
assertEquals("LDAP_WORD_A_WORD_AB_WORD_ABC_WORD", TokenName.fromAttribute("WordAWordABWordABCWord"));
}
}

60
extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/TokenName.java → guacamole-ext/src/main/java/org/apache/guacamole/token/TokenName.java
View File

@@ -17,7 +17,7 @@
* under the License.
*/
package org.apache.guacamole.auth.ldap;
package org.apache.guacamole.token;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
@@ -28,19 +28,13 @@ import java.util.regex.Pattern;
public class TokenName {
/**
* The prefix string to add to each parameter token generated from an LDAP
* attribute name.
*/
private static final String LDAP_ATTRIBUTE_TOKEN_PREFIX = "LDAP_";
/**
* Pattern which matches logical groupings of words within an LDAP
* attribute name. This pattern is intended to match logical groupings
* Pattern which matches logical groupings of words within a
* string. This pattern is intended to match logical groupings
* regardless of the naming convention used: "CamelCase",
* "headlessCamelCase", "lowercase_with_underscores",
* "lowercase-with-dashes" or even "aVery-INCONSISTENTMix_ofAllStyles".
*/
private static final Pattern LDAP_ATTRIBUTE_NAME_GROUPING = Pattern.compile(
private static final Pattern STRING_NAME_GROUPING = Pattern.compile(
// "Camel" word groups
"\\p{javaUpperCase}\\p{javaLowerCase}+"
@@ -67,31 +61,35 @@ public class TokenName {
/**
* Generates the name of the parameter token that should be populated with
* the value of the given LDAP attribute. The name of the LDAP attribute
* will automatically be transformed from "CamelCase", "headlessCamelCase",
* "lowercase_with_underscores", and "mixes_ofBoth_Styles" to consistent
* "UPPERCASE_WITH_UNDERSCORES". Each returned attribute will be prefixed
* with "LDAP_".
* the given string. The provided string will be automatically transformed
* from "CamelCase", "headlessCamelCase", "lowercase_with_underscores",
* and "mixes_ofBoth_Styles" to consistent "UPPERCASE_WITH_UNDERSCORES".
* Each returned token name will be prefixed with the string value provided
* in the prefix. The value provided in prefix will be prepended to the
* string, but will itself not be transformed.
*
* @param name
* The name of the LDAP attribute to use to generate the token name.
* The string to be used to generate the token name.
*
* @param prefix
* The prefix to prepend to the generated token name.
*
* @return
* The name of the parameter token that should be populated with the
* value of the LDAP attribute having the given name.
* given string.
*/
public static String fromAttribute(String name) {
public static String canonicalize(final String name, final String prefix) {
// If even one logical word grouping cannot be found, default to
// simply converting the attribute to uppercase and adding the
// simply converting the string to uppercase and adding the
// prefix
Matcher groupMatcher = LDAP_ATTRIBUTE_NAME_GROUPING.matcher(name);
Matcher groupMatcher = STRING_NAME_GROUPING.matcher(name);
if (!groupMatcher.find())
return LDAP_ATTRIBUTE_TOKEN_PREFIX + name.toUpperCase();
return prefix + name.toUpperCase();
// Split the given name into logical word groups, separated by
// underscores and converted to uppercase
StringBuilder builder = new StringBuilder(LDAP_ATTRIBUTE_TOKEN_PREFIX);
StringBuilder builder = new StringBuilder(prefix);
builder.append(groupMatcher.group(0).toUpperCase());
while (groupMatcher.find()) {
@@ -102,5 +100,23 @@ public class TokenName {
return builder.toString();
}
/**
* Generate the name of a parameter token from the given string, with no
* added prefix, such that the token name will simply be the transformed
* version of the string. See
* {@link #canonicalize(java.lang.String, java.lang.String)}
*
*
* @param name
* The string to use to generate the token name.
*
* @return
* The name of the parameter token that should be populated with the
* given string.
*/
public static String canonicalize(final String name) {
return canonicalize(name, "");
}
}

55
guacamole-ext/src/test/java/org/apache/guacamole/token/TokenNameTest.java Normal file
View File

@@ -0,0 +1,55 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.guacamole.token;
import static org.junit.Assert.assertEquals;
import org.junit.Test;
/**
* Test which verifies automatic generation of connection parameter token names.
*/
public class TokenNameTest {
/**
* Verifies that TokenName.canonicalize() generates token names as
* specified, regardless of the format of the provided string.
*/
@Test
public void testCanonicalize() {
assertEquals("A", TokenName.canonicalize("a"));
assertEquals("B", TokenName.canonicalize("b"));
assertEquals("1", TokenName.canonicalize("1"));
assertEquals("SOME_URL", TokenName.canonicalize("someURL"));
assertEquals("LOWERCASE_WITH_DASHES", TokenName.canonicalize("lowercase-with-dashes"));
assertEquals("HEADLESS_CAMEL_CASE", TokenName.canonicalize("headlessCamelCase"));
assertEquals("CAMEL_CASE", TokenName.canonicalize("CamelCase"));
assertEquals("CAMEL_CASE", TokenName.canonicalize("CamelCase"));
assertEquals("LOWERCASE_WITH_UNDERSCORES", TokenName.canonicalize("lowercase_with_underscores"));
assertEquals("UPPERCASE_WITH_UNDERSCORES", TokenName.canonicalize("UPPERCASE_WITH_UNDERSCORES"));
assertEquals("A_VERY_INCONSISTENT_MIX_OF_ALL_STYLES", TokenName.canonicalize("aVery-INCONSISTENTMix_ofAllStyles"));
assertEquals("ABC_123_DEF_456", TokenName.canonicalize("abc123def456"));
assertEquals("ABC_123_DEF_456", TokenName.canonicalize("ABC123DEF456"));
assertEquals("WORD_A_WORD_AB_WORD_ABC_WORD", TokenName.canonicalize("WordAWordABWordABCWord"));
assertEquals("AUTH_ATTRIBUTE", TokenName.canonicalize("Attribute", "AUTH_"));
assertEquals("auth_SOMETHING", TokenName.canonicalize("Something", "auth_"));
}
}