GUACAMOLE-641: Rename guacamole-auth-vault to guacamole-vault (does not provide auth).

extensions/guacamole-vault/modules/guacamole-vault-azure/src/main/java/org/apache/guacamole/vault/azure/AzureKeyVaultAuthenticationProvider.java

@@ -0,0 +1,47 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.vault.azure;
+
+import org.apache.guacamole.GuacamoleException;
+import org.apache.guacamole.vault.VaultAuthenticationProvider;
+
+/**
+ * VaultAuthenticationProvider implementation which reads secrets from Azure
+ * Key Vault.
+ */
+public class AzureKeyVaultAuthenticationProvider extends VaultAuthenticationProvider {
+
+    /**
+     * Creates a new AzureKeyVaultAuthenticationProvider which reads secrets
+     * from a configured Azure Key Vault.
+     *
+     * @throws GuacamoleException
+     *     If configuration details cannot be read from guacamole.properties.
+     */
+    public AzureKeyVaultAuthenticationProvider() throws GuacamoleException {
+        super(new AzureKeyVaultAuthenticationProviderModule());
+    }
+
+    @Override
+    public String getIdentifier() {
+        return "azure-keyvault";
+    }
+
+}

extensions/guacamole-vault/modules/guacamole-vault-azure/src/main/java/org/apache/guacamole/vault/azure/AzureKeyVaultAuthenticationProviderModule.java

@@ -0,0 +1,61 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.vault.azure;
+
+import com.microsoft.azure.keyvault.authentication.KeyVaultCredentials;
+import org.apache.guacamole.GuacamoleException;
+import org.apache.guacamole.vault.VaultAuthenticationProviderModule;
+import org.apache.guacamole.vault.azure.conf.AzureKeyVaultConfigurationService;
+import org.apache.guacamole.vault.azure.conf.AzureKeyVaultCredentials;
+import org.apache.guacamole.vault.azure.secret.AzureKeyVaultSecretService;
+import org.apache.guacamole.vault.conf.VaultConfigurationService;
+import org.apache.guacamole.vault.secret.VaultSecretService;
+
+/**
+ * Guice module which configures injections specific to Azure Key Vault
+ * support.
+ */
+public class AzureKeyVaultAuthenticationProviderModule
+        extends VaultAuthenticationProviderModule {
+
+    /**
+     * Creates a new AzureKeyVaultAuthenticationProviderModule which
+     * configures dependency injection for the Azure Key Vault authentication
+     * provider and related services.
+     *
+     * @throws GuacamoleException
+     *     If configuration details in guacamole.properties cannot be parsed.
+     */
+    public AzureKeyVaultAuthenticationProviderModule() throws GuacamoleException {}
+
+    @Override
+    protected void configureVault() {
+
+        // Bind services specific to Azure Key Vault
+        bind(VaultConfigurationService.class).to(AzureKeyVaultConfigurationService.class);
+        bind(VaultSecretService.class).to(AzureKeyVaultSecretService.class);
+
+        // Bind ADAL credentials implementation required for authenticating
+        // against Azure
+        bind(KeyVaultCredentials.class).to(AzureKeyVaultCredentials.class);
+
+    }
+
+}

extensions/guacamole-vault/modules/guacamole-vault-azure/src/main/java/org/apache/guacamole/vault/azure/conf/AzureKeyVaultAuthenticationException.java

@@ -0,0 +1,57 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.vault.azure.conf;
+
+/**
+ * Unchecked exception thrown by AzureKeyVaultCredentials if an error occurs
+ * during the authentication process. Note that the base KeyVaultCredentials
+ * base class does not provide for checked exceptions within the authentication
+ * process.
+ *
+ * @see AzureKeyVaultCredentials#doAuthenticate(java.lang.String, java.lang.String, java.lang.String)
+ */
+public class AzureKeyVaultAuthenticationException extends RuntimeException {
+
+    /**
+     * Creates a new AzureKeyVaultAuthenticationException having the given
+     * human-readable message.
+     *
+     * @param message
+     *     A human-readable message describing the error that occurred.
+     */
+    public AzureKeyVaultAuthenticationException(String message) {
+        super(message);
+    }
+
+    /**
+     * Creates a new AzureKeyVaultAuthenticationException having the given
+     * human-readable message and cause.
+     *
+     * @param message
+     *     A human-readable message describing the error that occurred.
+     *
+     * @param cause
+     *     The error that caused this exception.
+     */
+   public AzureKeyVaultAuthenticationException(String message, Throwable cause) {
+        super(message, cause);
+    }
+
+}

extensions/guacamole-vault/modules/guacamole-vault-azure/src/main/java/org/apache/guacamole/vault/azure/conf/AzureKeyVaultConfigurationService.java

@@ -0,0 +1,164 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.vault.azure.conf;
+
+import com.google.inject.Inject;
+import com.google.inject.Singleton;
+import com.microsoft.aad.adal4j.ClientCredential;
+import org.apache.guacamole.GuacamoleException;
+import org.apache.guacamole.environment.Environment;
+import org.apache.guacamole.properties.IntegerGuacamoleProperty;
+import org.apache.guacamole.properties.StringGuacamoleProperty;
+import org.apache.guacamole.vault.conf.VaultConfigurationService;
+
+/**
+ * Service for retrieving configuration information regarding the Azure Key
+ * Vault authentication extension.
+ */
+@Singleton
+public class AzureKeyVaultConfigurationService extends VaultConfigurationService {
+
+    /**
+     * The Guacamole server environment.
+     */
+    @Inject
+    private Environment environment;
+
+    /**
+     * The name of the file which contains the JSON mapping of connection
+     * parameter token to Azure Key Vault secret name.
+     */
+    private static final String TOKEN_MAPPING_FILENAME = "azure-keyvault-token-mapping.json";
+
+    /**
+     * The number of milliseconds that each retrieved secret should be cached
+     * for.
+     */
+    private static final IntegerGuacamoleProperty SECRET_TTL = new IntegerGuacamoleProperty() {
+
+        @Override
+        public String getName() {
+            return "azure-keyvault-secret-ttl";
+        }
+
+    };
+
+    /**
+     * The URL of the Azure Key Vault that should be used to populate token
+     * values.
+     */
+    private static final StringGuacamoleProperty VAULT_URL = new StringGuacamoleProperty() {
+
+        @Override
+        public String getName() {
+            return "azure-keyvault-url";
+        }
+
+    };
+
+    /**
+     * The client ID that should be used to authenticate with Azure Key Vault
+     * using ADAL.
+     */
+    private static final StringGuacamoleProperty CLIENT_ID = new StringGuacamoleProperty() {
+
+        @Override
+        public String getName() {
+            return "azure-keyvault-client-id";
+        }
+
+    };
+
+    /**
+     * The client key that should be used to authenticate with Azure Key Vault
+     * using ADAL.
+     */
+    private static final StringGuacamoleProperty CLIENT_KEY = new StringGuacamoleProperty() {
+
+        @Override
+        public String getName() {
+            return "azure-keyvault-client-key";
+        }
+
+    };
+
+    /**
+     * Creates a new AzureKeyVaultConfigurationService which reads the token
+     * mapping from "azure-keyvault-token-mapping.json". The token mapping is
+     * a JSON file which lists each connection parameter token and the name of
+     * the secret from which the value for that token should be read.
+     */
+    public AzureKeyVaultConfigurationService() {
+        super(TOKEN_MAPPING_FILENAME);
+    }
+
+    /**
+     * Returns the number of milliseconds that each retrieved secret should be
+     * cached for. By default, secrets are cached for 10 seconds.
+     *
+     * @return
+     *     The number of milliseconds to cache each retrieved secret.
+     *
+     * @throws GuacamoleException
+     *     If the value specified within guacamole.properties cannot be
+     *     parsed.
+     */
+    public int getSecretTTL() throws GuacamoleException {
+        return environment.getProperty(SECRET_TTL, 10000);
+    }
+
+    /**
+     * Returns the base URL of the Azure Key Vault containing the secrets that
+     * should be retrieved to populate connection parameter tokens. The base
+     * URL is specified with the "azure-keyvault-url" property.
+     *
+     * @return
+     *     The base URL of the Azure Key Vault.
+     *
+     * @throws GuacamoleException
+     *     If the base URL is not specified within guacamole.properties.
+     */
+    public String getVaultURL() throws GuacamoleException {
+        return environment.getRequiredProperty(VAULT_URL);
+    }
+
+    /**
+     * Returns the credentials that should be used to authenticate with Azure
+     * Key Vault when retrieving secrets. Azure's "ADAL" authentication will be
+     * used, requiring a client ID and key. These values are specified with the
+     * "azure-keyvault-client-id" and "azure-keyvault-client-key" properties
+     * respectively.
+     *
+     * @return
+     *     The credentials that should be used to authenticate with Azure Key
+     *     Vault.
+     *
+     * @throws GuacamoleException
+     *     If the client ID or key are not specified within
+     *     guacamole.properties.
+     */
+    public ClientCredential getClientCredentials() throws GuacamoleException {
+        return new ClientCredential(
+            environment.getRequiredProperty(CLIENT_ID),
+            environment.getRequiredProperty(CLIENT_KEY)
+        );
+    }
+
+}

extensions/guacamole-vault/modules/guacamole-vault-azure/src/main/java/org/apache/guacamole/vault/azure/conf/AzureKeyVaultCredentials.java

@@ -0,0 +1,115 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.vault.azure.conf;
+
+import com.google.inject.Inject;
+import com.microsoft.aad.adal4j.AuthenticationContext;
+import com.microsoft.aad.adal4j.AuthenticationResult;
+import com.microsoft.aad.adal4j.ClientCredential;
+import com.microsoft.azure.keyvault.authentication.KeyVaultCredentials;
+import java.net.MalformedURLException;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.Executors;
+import java.util.concurrent.Future;
+import org.apache.guacamole.GuacamoleException;
+
+/**
+ * KeyVaultCredentials implementation which retrieves the required client ID
+ * and key from guacamole.properties. Note that KeyVaultCredentials as
+ * implemented in the Azure Java SDK is NOT THREADSAFE; it leverages a
+ * non-concurrent HashMap for authentication result caching and does not
+ * perform any synchronization.
+ */
+public class AzureKeyVaultCredentials extends KeyVaultCredentials {
+
+    /**
+     * Service for retrieving configuration information.
+     */
+    @Inject
+    private AzureKeyVaultConfigurationService confService;
+
+    /**
+     * {@inheritDoc}
+     *
+     * @throws AzureKeyVaultAuthenticationException
+     *     If an error occurs preventing successful authentication. Note that
+     *     this exception is unchecked. Uses of this class which need to be
+     *     aware of errors in the authentication process must manually catch
+     *     this exception.
+     */
+    @Override
+    public String doAuthenticate(String authorization, String resource,
+            String scope) throws AzureKeyVaultAuthenticationException {
+
+        // Read Azure credentials from guacamole.properties
+        ClientCredential credentials;
+        try {
+            credentials = confService.getClientCredentials();
+        }
+        catch (GuacamoleException e) {
+            throw new AzureKeyVaultAuthenticationException("Azure "
+                    + "credentials could not be read.", e);
+        }
+
+        ExecutorService service = Executors.newFixedThreadPool(1);
+        try {
+
+            // Attempt to aquire authentication token from Azure
+            AuthenticationContext context = new AuthenticationContext(authorization, false, service);
+            Future<AuthenticationResult> future = context.acquireToken(resource, credentials, null);
+
+            // Wait for response
+            AuthenticationResult result = future.get();
+
+            // The semantics of a null return value are not documented, however
+            // example code provided with the Azure Java SDK demonstrates that
+            // a null check is required, albeit without explanation
+            if (result == null)
+                throw new AzureKeyVaultAuthenticationException(
+                        "Authentication result from Azure was empty.");
+
+            // Return authentication token from successful response
+            return result.getAccessToken();
+
+        }
+
+        // Rethrow any errors which occur during the authentication process as
+        // AzureKeyVaultAuthenticationExceptions
+        catch (MalformedURLException e) {
+            throw new AzureKeyVaultAuthenticationException("Azure "
+                    + "authentication URL is malformed.", e);
+        }
+        catch (InterruptedException e) {
+            throw new AzureKeyVaultAuthenticationException("Azure "
+                    + "authentication process was interrupted.", e);
+        }
+        catch (ExecutionException e) {
+            throw new AzureKeyVaultAuthenticationException("Authentication "
+                    + "against Azure failed.", e);
+        }
+
+        finally {
+            service.shutdown();
+        }
+
+    }
+
+}

extensions/guacamole-vault/modules/guacamole-vault-azure/src/main/java/org/apache/guacamole/vault/azure/secret/AzureKeyVaultSecretService.java

@@ -0,0 +1,121 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.vault.azure.secret;
+
+import com.google.inject.Inject;
+import com.google.inject.Provider;
+import com.google.inject.Singleton;
+import com.microsoft.azure.keyvault.KeyVaultClient;
+import com.microsoft.azure.keyvault.authentication.KeyVaultCredentials;
+import com.microsoft.azure.keyvault.models.SecretBundle;
+import com.microsoft.rest.ServiceCallback;
+import java.util.concurrent.CompletableFuture;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+import org.apache.guacamole.GuacamoleException;
+import org.apache.guacamole.vault.azure.conf.AzureKeyVaultAuthenticationException;
+import org.apache.guacamole.vault.azure.conf.AzureKeyVaultConfigurationService;
+import org.apache.guacamole.vault.secret.CachedVaultSecretService;
+
+/**
+ * Service which retrieves secrets from Azure Key Vault.
+ */
+@Singleton
+public class AzureKeyVaultSecretService extends CachedVaultSecretService {
+
+    /**
+     * Pattern which matches contiguous groups of characters which are not
+     * allowed within Azure Key Vault secret names.
+     */
+    private static final Pattern DISALLOWED_CHARACTERS = Pattern.compile("[^a-zA-Z0-9-]+");
+
+    /**
+     * Service for retrieving configuration information.
+     */
+    @Inject
+    private AzureKeyVaultConfigurationService confService;
+
+    /**
+     * Provider for Azure Key Vault credentials.
+     */
+    @Inject
+    private Provider<KeyVaultCredentials> credentialProvider;
+
+    /**
+     * {@inheritDoc}
+     *
+     * <p>Azure Key Vault allows strictly a-z, A-Z, 0-9, and "-". This
+     * implementation strips out all contiguous groups of characters which are
+     * not allowed by Azure Key Vault, replacing them with a single dash.
+     */
+    @Override
+    public String canonicalize(String name) {
+        Matcher disallowed = DISALLOWED_CHARACTERS.matcher(name);
+        return disallowed.replaceAll("-");
+    }
+
+    @Override
+    protected CachedSecret refreshCachedSecret(String name)
+            throws GuacamoleException {
+
+        int ttl = confService.getSecretTTL();
+        String url = confService.getVaultURL();
+
+        CompletableFuture<String> retrievedValue = new CompletableFuture<>();
+
+        // getSecretAsync() still blocks for around half a second, despite
+        // technically being asynchronous
+        (new Thread() {
+
+            @Override
+            public void run() {
+                try {
+
+                    // Retrieve requested secret from Azure Key Vault
+                    KeyVaultClient client = new KeyVaultClient(credentialProvider.get());
+                    client.getSecretAsync(url, name, new ServiceCallback<SecretBundle>() {
+
+                        @Override
+                        public void failure(Throwable t) {
+                            retrievedValue.completeExceptionally(t);
+                        }
+
+                        @Override
+                        public void success(SecretBundle secret) {
+                            String value = (secret != null) ? secret.value() : null;
+                            retrievedValue.complete(value);
+                        }
+
+                    });
+
+                }
+                catch (AzureKeyVaultAuthenticationException e) {
+                    retrievedValue.completeExceptionally(e);
+                }
+            }
+
+        }).start();
+
+        // Cache retrieved value
+        return new CachedSecret(retrievedValue, ttl);
+
+    }
+
+}

extensions/guacamole-vault/modules/guacamole-vault-azure/src/main/resources/guac-manifest.json

@@ -0,0 +1,16 @@
+{
+
+    "guacamoleVersion" : "1.4.0",
+
+    "name"      : "Azure Key Vault",
+    "namespace" : "azure-keyvault",
+
+    "authProviders" : [
+        "org.apache.guacamole.vault.azure.AzureKeyVaultAuthenticationProvider"
+    ],
+
+    "translations" : [
+        "translations/en.json"
+    ]
+
+}