GUACAMOLE-362: Implement new CipherGuacamoleProperty and move cipher functionality to it.
Project: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/commit/36489ff4 Tree: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/tree/36489ff4 Diff: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/diff/36489ff4 Branch: refs/heads/master Commit: 36489ff403ae66219e858773b7e5095241628c2a Parents: c3aaf0a Author: Nick Couchman <vn...@apache.org> Authored: Sun Aug 27 20:34:46 2017 -0400 Committer: Nick Couchman <nick.couch...@yahoo.com> Committed: Fri Oct 27 13:05:12 2017 -0400 ---------------------------------------------------------------------- .../auth/cas/AuthenticationProviderService.java | 46 ++-------- .../auth/cas/conf/CASGuacamoleProperties.java | 6 +- .../auth/cas/conf/ConfigurationService.java | 3 +- .../properties/CipherGuacamoleProperty.java | 92 ++++++++++++++++++++ 4 files changed, 102 insertions(+), 45 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/36489ff4/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/AuthenticationProviderService.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/AuthenticationProviderService.java b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/AuthenticationProviderService.java index feb842d..b7ebdf7 100644 --- a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/AuthenticationProviderService.java +++ b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/AuthenticationProviderService.java @@ -37,6 +37,7 @@ import java.security.spec.PKCS8EncodedKeySpec; import java.util.Arrays; import java.util.Enumeration; import javax.crypto.Cipher; +import javax.crypto.IllegalBlockSizeException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpSession; import javax.xml.bind.DatatypeConverter; @@ -170,53 +171,16 @@ public class AuthenticationProviderService { try { - // Open and read the file specified in the configuration. - File keyFile = new File(environment.getGuacamoleHome(), confService.getClearpassKey().toString()); - InputStream keyInput = new BufferedInputStream(new FileInputStream(keyFile)); - final byte[] keyBytes = new byte[(int) keyFile.length()]; - keyInput.read(keyBytes); - keyInput.close(); - - // Set up decryption infrastructure - KeyFactory keyFactory = KeyFactory.getInstance("RSA"); - KeySpec keySpec = new PKCS8EncodedKeySpec(keyBytes); - final PrivateKey privateKey = keyFactory.generatePrivate(keySpec); - final Cipher cipher = Cipher.getInstance(privateKey.getAlgorithm()); - final byte[] pass64 = DatatypeConverter.parseBase64Binary(encryptedPassword); - cipher.init(Cipher.DECRYPT_MODE, privateKey); + final Cipher cipher = confService.getClearpassCipher(); // Decrypt and return a new string. + final byte[] pass64 = DatatypeConverter.parseBase64Binary(encryptedPassword); final byte[] cipherData = cipher.doFinal(pass64); return new String(cipherData); } - catch (FileNotFoundException e) { - logger.error("ClearPass key file not found, password will not be decrypted."); - logger.debug("Error locating the ClearPass key file: {}", e); - return null; - } - catch (IOException e) { - logger.error("Error reading ClearPass key file, password will not be decrypted."); - logger.debug("Error reading the ClearPass key file: {}", e); - return null; - } - catch (NoSuchAlgorithmException e) { - logger.error("Unable to find the specified algorithm, password will not be decrypted."); - logger.debug("Algorithm was not found: {}", e); - return null; - } - catch (InvalidKeyException e) { - logger.error("Invalid key was loaded, password will not be decrypted."); - logger.debug("The loaded key was invalid: {}", e); - return null; - } - catch (IllegalArgumentException e) { - logger.error("Failed to parse Base64 data, password will not be decrypted."); - logger.debug("Data received was not valid Base64 data, so decryption cannot continue: {}", e); - return null; - } catch (Throwable t) { - logger.error("Error decrypting password, it will not be available as a token."); - logger.debug("Error in one of the components to decrypt the password: {}", t); + logger.error("Failed to decrypt the data, password token will not be available."); + logger.debug("Failed to either convert Base64 or decrypt the password. CAS Password will not be available inside Guacamole. Exception is: {}", t); return null; } http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/36489ff4/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/CASGuacamoleProperties.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/CASGuacamoleProperties.java b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/CASGuacamoleProperties.java index 410e848..7a600c9 100644 --- a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/CASGuacamoleProperties.java +++ b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/CASGuacamoleProperties.java @@ -19,7 +19,7 @@ package org.apache.guacamole.auth.cas.conf; -import org.apache.guacamole.properties.FileGuacamoleProperty; +import org.apache.guacamole.properties.CipherGuacamoleProperty; import org.apache.guacamole.properties.StringGuacamoleProperty; /** @@ -62,8 +62,8 @@ public class CASGuacamoleProperties { * The location of the private key file used to retrieve the * password if CAS is configured to support ClearPass. */ - public static final FileGuacamoleProperty CAS_CLEARPASS_KEY = - new FileGuacamoleProperty() { + public static final CipherGuacamoleProperty CAS_CLEARPASS_KEY = + new CipherGuacamoleProperty() { @Override public String getName() { return "cas-clearpass-key"; } http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/36489ff4/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/ConfigurationService.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/ConfigurationService.java b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/ConfigurationService.java index b2d74d5..ba969d4 100644 --- a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/ConfigurationService.java +++ b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/ConfigurationService.java @@ -21,6 +21,7 @@ package org.apache.guacamole.auth.cas.conf; import com.google.inject.Inject; import java.io.File; +import javax.crypto.Cipher; import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.environment.Environment; @@ -81,7 +82,7 @@ public class ConfigurationService { * @throws GuacamoleException * If guacamole.properties cannot be parsed. */ - public File getClearpassKey() throws GuacamoleException { + public Cipher getClearpassCipher() throws GuacamoleException { return environment.getProperty(CASGuacamoleProperties.CAS_CLEARPASS_KEY); } http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/36489ff4/guacamole-ext/src/main/java/org/apache/guacamole/properties/CipherGuacamoleProperty.java ---------------------------------------------------------------------- diff --git a/guacamole-ext/src/main/java/org/apache/guacamole/properties/CipherGuacamoleProperty.java b/guacamole-ext/src/main/java/org/apache/guacamole/properties/CipherGuacamoleProperty.java new file mode 100644 index 0000000..e2f95ec --- /dev/null +++ b/guacamole-ext/src/main/java/org/apache/guacamole/properties/CipherGuacamoleProperty.java @@ -0,0 +1,92 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.guacamole.properties; + +import java.io.BufferedInputStream; +import java.io.File; +import java.io.FileInputStream; +import java.io.FileNotFoundException; +import java.io.InputStream; +import java.io.IOException; +import java.lang.IllegalArgumentException; +import java.security.InvalidKeyException; +import java.security.KeyFactory; +import java.security.NoSuchAlgorithmException; +import java.security.PrivateKey; +import java.security.spec.InvalidKeySpecException; +import java.security.spec.KeySpec; +import java.security.spec.PKCS8EncodedKeySpec; +import javax.crypto.Cipher; +import javax.crypto.NoSuchPaddingException; +import org.apache.guacamole.GuacamoleException; +import org.apache.guacamole.environment.Environment; +import org.apache.guacamole.environment.LocalEnvironment; + +/** + * A GuacamoleProperty whose value is derived from a private key file. + */ +public abstract class CipherGuacamoleProperty implements GuacamoleProperty<Cipher> { + + @Override + public Cipher parseValue(String value) throws GuacamoleException { + + try { + + final Environment environment = new LocalEnvironment(); + + // Open and read the file specified in the configuration. + File keyFile = new File(environment.getGuacamoleHome(), value); + InputStream keyInput = new BufferedInputStream(new FileInputStream(keyFile)); + final byte[] keyBytes = new byte[(int) keyFile.length()]; + keyInput.read(keyBytes); + keyInput.close(); + + // Set up decryption infrastructure + KeyFactory keyFactory = KeyFactory.getInstance("RSA"); + KeySpec keySpec = new PKCS8EncodedKeySpec(keyBytes); + final PrivateKey privateKey = keyFactory.generatePrivate(keySpec); + final Cipher cipher = Cipher.getInstance(privateKey.getAlgorithm()); + cipher.init(Cipher.DECRYPT_MODE, privateKey); + + return cipher; + + } + catch (FileNotFoundException e) { + throw new GuacamoleException("Could not find the specified key file.", e); + } + catch (IOException e) { + throw new GuacamoleException("Could not read in the specified key file.", e); + } + catch (NoSuchAlgorithmException e) { + throw new GuacamoleException("Specified algorithm does not exist.", e); + } + catch (InvalidKeyException e) { + throw new GuacamoleException("Specified key is invalid.", e); + } + catch (InvalidKeySpecException e) { + throw new GuacamoleException("Invalid KeySpec initialization.", e); + } + catch (NoSuchPaddingException e) { + throw new GuacamoleException("No such padding exception.", e); + } + + } + +}