GUACAMOLE-362: Move password decryption logic into TicketValidationService class.
Project: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/commit/62fafcb3 Tree: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/tree/62fafcb3 Diff: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/diff/62fafcb3 Branch: refs/heads/staging/0.9.14-incubating Commit: 62fafcb379f96bb6850f1b4cbb0339072fe0f9f6 Parents: 6313432 Author: Nick Couchman <vn...@apache.org> Authored: Wed Sep 27 11:13:51 2017 -0400 Committer: Nick Couchman <nick.couch...@yahoo.com> Committed: Fri Oct 27 13:05:13 2017 -0400 ---------------------------------------------------------------------- .../auth/cas/AuthenticationProviderService.java | 114 ++----------------- .../cas/ticket/TicketValidationService.java | 108 +++++++++++++++++- 2 files changed, 113 insertions(+), 109 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/62fafcb3/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/AuthenticationProviderService.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/AuthenticationProviderService.java b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/AuthenticationProviderService.java index 171c30f..325268e 100644 --- a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/AuthenticationProviderService.java +++ b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/AuthenticationProviderService.java @@ -21,32 +21,11 @@ package org.apache.guacamole.auth.cas; import com.google.inject.Inject; import com.google.inject.Provider; -import java.io.BufferedInputStream; -import java.io.File; -import java.io.FileInputStream; -import java.io.FileNotFoundException; -import java.io.InputStream; -import java.io.IOException; -import java.lang.IllegalArgumentException; -import java.security.InvalidKeyException; -import java.security.KeyFactory; -import java.security.NoSuchAlgorithmException; -import java.security.PrivateKey; -import java.security.spec.KeySpec; -import java.security.spec.PKCS8EncodedKeySpec; import java.util.Arrays; -import java.util.Enumeration; -import javax.crypto.BadPaddingException; -import javax.crypto.Cipher; -import javax.crypto.IllegalBlockSizeException; -import javax.crypto.NoSuchPaddingException; import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpSession; -import javax.xml.bind.DatatypeConverter; import org.apache.guacamole.environment.Environment; import org.apache.guacamole.form.Field; import org.apache.guacamole.GuacamoleException; -import org.apache.guacamole.GuacamoleServerException; import org.apache.guacamole.net.auth.Credentials; import org.apache.guacamole.net.auth.credentials.CredentialsInfo; import org.apache.guacamole.net.auth.credentials.GuacamoleInsufficientCredentialsException; @@ -54,9 +33,6 @@ import org.apache.guacamole.auth.cas.conf.ConfigurationService; import org.apache.guacamole.auth.cas.form.CASTicketField; import org.apache.guacamole.auth.cas.ticket.TicketValidationService; import org.apache.guacamole.auth.cas.user.AuthenticatedUser; -import org.jasig.cas.client.authentication.AttributePrincipal; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; /** * Service providing convenience functions for the CAS AuthenticationProvider @@ -65,11 +41,6 @@ import org.slf4j.LoggerFactory; public class AuthenticationProviderService { /** - * Logger for this class. - */ - private static final Logger logger = LoggerFactory.getLogger(AuthenticationProviderService.class); - - /** * Service for retrieving CAS configuration information. */ @Inject @@ -116,16 +87,17 @@ public class AuthenticationProviderService { if (request != null) { String ticket = request.getParameter(CASTicketField.PARAMETER_NAME); if (ticket != null) { - AuthenticatedUser authenticatedUser = authenticatedUserProvider.get(); - AttributePrincipal principal = ticketService.validateTicket(ticket); - String username = principal.getName(); - Object credObj = principal.getAttributes().get("credential"); - if (credObj != null) { - String clearPass = decryptPassword(credObj.toString()); - if (clearPass != null && !clearPass.isEmpty()) - credentials.setPassword(clearPass); + Credentials ticketCredentials = ticketService.validateTicket(ticket); + if (ticketCredentials != null) { + String username = ticketCredentials.getUsername(); + if (username != null) + credentials.setUsername(username); + String password = ticketCredentials.getPassword(); + if (password != null) + credentials.setPassword(password); } - authenticatedUser.init(username, credentials); + AuthenticatedUser authenticatedUser = authenticatedUserProvider.get(); + authenticatedUser.init(credentials.getUsername(), credentials); return authenticatedUser; } } @@ -147,70 +119,4 @@ public class AuthenticationProviderService { } - /** - * Takes an encrypted string representing a password provided by - * the CAS ClearPass service and decrypts it using the private - * key configured for this extension. Returns null if it is - * unable to decrypt the password. - * - * @param encryptedPassword - * A string with the encrypted password provided by the - * CAS service. - * - * @return - * The decrypted password, or null if it is unable to - * decrypt the password. - * - * @throws GuacamoleException - * If unable to get Guacamole configuration data - */ - private final String decryptPassword(String encryptedPassword) - throws GuacamoleException { - - // If we get nothing, we return nothing. - if (encryptedPassword == null || encryptedPassword.isEmpty()) { - logger.warn("No or empty encrypted password, no password will be available."); - return null; - } - - final PrivateKey clearpassKey = confService.getClearpassKey(); - if (clearpassKey == null) { - logger.warn("No private key available to decrypt password."); - return null; - } - - try { - - final Cipher cipher = Cipher.getInstance(clearpassKey.getAlgorithm()); - - if (cipher == null) - throw new GuacamoleServerException("Failed to initialize cipher object with private key."); - - // Initialize the Cipher in decrypt mode. - cipher.init(Cipher.DECRYPT_MODE, clearpassKey); - - // Decode and decrypt, and return a new string. - final byte[] pass64 = DatatypeConverter.parseBase64Binary(encryptedPassword); - final byte[] cipherData = cipher.doFinal(pass64); - return new String(cipherData); - - } - catch (BadPaddingException e) { - throw new GuacamoleServerException("Bad padding when decrypting cipher data.", e); - } - catch (IllegalBlockSizeException e) { - throw new GuacamoleServerException("Illegal block size while opening private key.", e); - } - catch (InvalidKeyException e) { - throw new GuacamoleServerException("Specified private key for ClearPass decryption is invalid.", e); - } - catch (NoSuchAlgorithmException e) { - throw new GuacamoleServerException("Unexpected algorithm for the private key.", e); - } - catch (NoSuchPaddingException e) { - throw new GuacamoleServerException("No such padding tryingto initialize cipher with private key.", e); - } - - } - } http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/62fafcb3/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/ticket/TicketValidationService.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/ticket/TicketValidationService.java b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/ticket/TicketValidationService.java index 96da6ff..0162801 100644 --- a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/ticket/TicketValidationService.java +++ b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/ticket/TicketValidationService.java @@ -20,14 +20,24 @@ package org.apache.guacamole.auth.cas.ticket; import com.google.inject.Inject; +import java.security.InvalidKeyException; +import java.security.NoSuchAlgorithmException; +import java.security.PrivateKey; +import javax.crypto.BadPaddingException; +import javax.crypto.Cipher; +import javax.crypto.IllegalBlockSizeException; +import javax.crypto.NoSuchPaddingException; +import javax.xml.bind.DatatypeConverter; import org.apache.guacamole.GuacamoleException; -import org.apache.guacamole.GuacamoleSecurityException; import org.apache.guacamole.GuacamoleServerException; import org.apache.guacamole.auth.cas.conf.ConfigurationService; +import org.apache.guacamole.net.auth.Credentials; import org.jasig.cas.client.authentication.AttributePrincipal; import org.jasig.cas.client.validation.Assertion; import org.jasig.cas.client.validation.Cas20ProxyTicketValidator; import org.jasig.cas.client.validation.TicketValidationException; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; /** * Service for validating ID tickets forwarded to us by the client, verifying @@ -36,13 +46,18 @@ import org.jasig.cas.client.validation.TicketValidationException; public class TicketValidationService { /** + * Logger for this class. + */ + private static final Logger logger = LoggerFactory.getLogger(TicketValidationService.class); + + /** * Service for retrieving CAS configuration information. */ @Inject private ConfigurationService confService; /** - * Validates and parses the given ID ticket, returning the AttributePrincipal + * Validates and parses the given ID ticket, returning the Credentials object * derived from the parameters provided by the CAS server in the ticket. If the * ticket is invalid an exception is thrown. * @@ -50,13 +65,13 @@ public class TicketValidationService { * The ID ticket to validate and parse. * * @return - * The AttributePrincipal derived from parameters provided in the ticket. + * The Credentials object derived from parameters provided in the ticket. * * @throws GuacamoleException * If the ID ticket is not valid or guacamole.properties could * not be parsed. */ - public AttributePrincipal validateTicket(String ticket) throws GuacamoleException { + public Credentials validateTicket(String ticket) throws GuacamoleException { // Retrieve the configured CAS URL, establish a ticket validator, // and then attempt to validate the supplied ticket. If that succeeds, @@ -65,9 +80,26 @@ public class TicketValidationService { Cas20ProxyTicketValidator validator = new Cas20ProxyTicketValidator(casServerUrl); validator.setAcceptAnyProxy(true); try { + Credentials ticketCredentials = new Credentials(); String confRedirectURI = confService.getRedirectURI(); Assertion a = validator.validate(ticket, confRedirectURI); - return a.getPrincipal(); + AttributePrincipal principal = a.getPrincipal(); + + // Retrieve username and set the credentials. + String username = principal.getName(); + if (username != null) + ticketCredentials.setUsername(username); + + // Retrieve password, attempt decryption, and set credentials. + Object credObj = principal.getAttributes().get("credential"); + if (credObj != null) { + String clearPass = decryptPassword(credObj.toString()); + if (clearPass != null && !clearPass.isEmpty()) + ticketCredentials.setPassword(clearPass); + } + + return ticketCredentials; + } catch (TicketValidationException e) { throw new GuacamoleException("Ticket validation failed.", e); @@ -75,4 +107,70 @@ public class TicketValidationService { } + /** + * Takes an encrypted string representing a password provided by + * the CAS ClearPass service and decrypts it using the private + * key configured for this extension. Returns null if it is + * unable to decrypt the password. + * + * @param encryptedPassword + * A string with the encrypted password provided by the + * CAS service. + * + * @return + * The decrypted password, or null if it is unable to + * decrypt the password. + * + * @throws GuacamoleException + * If unable to get Guacamole configuration data + */ + private final String decryptPassword(String encryptedPassword) + throws GuacamoleException { + + // If we get nothing, we return nothing. + if (encryptedPassword == null || encryptedPassword.isEmpty()) { + logger.warn("No or empty encrypted password, no password will be available."); + return null; + } + + final PrivateKey clearpassKey = confService.getClearpassKey(); + if (clearpassKey == null) { + logger.warn("No private key available to decrypt password."); + return null; + } + + try { + + final Cipher cipher = Cipher.getInstance(clearpassKey.getAlgorithm()); + + if (cipher == null) + throw new GuacamoleServerException("Failed to initialize cipher object with private key."); + + // Initialize the Cipher in decrypt mode. + cipher.init(Cipher.DECRYPT_MODE, clearpassKey); + + // Decode and decrypt, and return a new string. + final byte[] pass64 = DatatypeConverter.parseBase64Binary(encryptedPassword); + final byte[] cipherData = cipher.doFinal(pass64); + return new String(cipherData); + + } + catch (BadPaddingException e) { + throw new GuacamoleServerException("Bad padding when decrypting cipher data.", e); + } + catch (IllegalBlockSizeException e) { + throw new GuacamoleServerException("Illegal block size while opening private key.", e); + } + catch (InvalidKeyException e) { + throw new GuacamoleServerException("Specified private key for ClearPass decryption is invalid.", e); + } + catch (NoSuchAlgorithmException e) { + throw new GuacamoleServerException("Unexpected algorithm for the private key.", e); + } + catch (NoSuchPaddingException e) { + throw new GuacamoleServerException("No such padding tryingto initialize cipher with private key.", e); + } + + } + }