necouchman commented on code in PR #984:
URL: https://github.com/apache/guacamole-client/pull/984#discussion_r1620737434
##########
extensions/guacamole-auth-nextcloud/src/main/resources/guac-manifest.json:
##########
@@ -0,0 +1,12 @@
+{
+
+ "guacamoleVersion" : "1.5.4",
Review Comment:
This probably needs to be bumped to `1.5.5`, since that's the current
version.
##########
extensions/guacamole-auth-nextcloud/src/main/java/org/apache/guacamole/auth/nextcloud/NextcloudJwtAuthenticationProvider.java:
##########
@@ -0,0 +1,189 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.auth.nextcloud;
+
+import com.auth0.jwt.JWT;
+import com.auth0.jwt.JWTVerifier;
+import com.auth0.jwt.algorithms.Algorithm;
+import com.auth0.jwt.exceptions.JWTVerificationException;
+import com.auth0.jwt.interfaces.DecodedJWT;
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.google.inject.Guice;
+import com.google.inject.Inject;
+import com.google.inject.Injector;
+
+import java.nio.charset.StandardCharsets;
+import java.security.KeyFactory;
+import java.security.NoSuchAlgorithmException;
+import java.security.interfaces.ECPublicKey;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.X509EncodedKeySpec;
+import java.util.Base64;
+import java.util.Date;
+import javax.servlet.http.HttpServletRequest;
+
+import org.apache.guacamole.GuacamoleException;
+import org.apache.guacamole.net.auth.AbstractAuthenticationProvider;
+import org.apache.guacamole.net.auth.AuthenticatedUser;
+import org.apache.guacamole.net.auth.Credentials;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * Allows a pre-check of users with encrypted Nextcloud JWT data blocks.
+ * The username in the JWT will be compared with a list in
guacamole.properties.
+ * The JWT will be verified with the public key. If the JWT is valid, the login
+ * page will be loaded. If the JWT is missing or invalid, an exception message
+ * will be displayed.
+ */
+public class NextcloudJwtAuthenticationProvider extends
AbstractAuthenticationProvider {
+
+ private static final int MINUTES_TOKEN_VALID = 1;
+ /**
+ * Injector which will manage the object graph of this authentication
+ * provider.
+ */
+ private final Injector injector;
+
+ @Inject
+ private ConfigurationService confService;
+
+ private static final Logger logger =
LoggerFactory.getLogger(NextcloudJwtAuthenticationProvider.class);
+
+ /**
+ * Creates a new MextcloudJwtAuthenticationProvider that authenticates
user.
+ *
+ * @throws GuacamoleException
+ * If a required property is missing, or an error occurs while parsing
+ * a property.
+ */
+ public NextcloudJwtAuthenticationProvider() throws GuacamoleException {
+
+ // Set up Guice injector.
+ injector = Guice.createInjector(new
NextcloudJwtAuthenticationProviderModule(this));
+
+ }
+
+ @Override
+ public String getIdentifier() {
+ return "nextcloud";
+ }
+
+ @Override
+ public AuthenticatedUser authenticateUser(Credentials credentials) throws
GuacamoleException {
+
+ HttpServletRequest request = credentials.getRequest();
+
+ String token = request.getParameter("nctoken");
+ String ipaddr = request.getRemoteAddr();
+
+ boolean localAddr = this.validIpAddress(ipaddr);
+ if (localAddr) {
+ logger.info("Request from local address {}", ipaddr);
+ return null;
+ }
+
+ if (token == null) {
+ throw new GuacamoleException("Missing token.");
+ }
+
+ try {
+ boolean valid = this.isValidJWT(token);
+ if (!valid) {
+ throw new GuacamoleException("Token expired.");
+ }
+ logger.info("Token valid.");
+ } catch (final GuacamoleException ex) {
+ logger.error("Token validation failed.", ex);
+ throw new GuacamoleException(ex.getMessage());
+ }
+ return null;
Review Comment:
It might be nice to have some documentation throughout this function -
simply comments that indicate what you're doing and why.
##########
extensions/guacamole-auth-nextcloud/src/main/java/org/apache/guacamole/auth/nextcloud/ConfigurationService.java:
##########
@@ -0,0 +1,131 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.auth.nextcloud;
+
+import com.google.inject.Inject;
+
+import java.util.Collection;
+import java.util.Collections;
+
+import org.apache.guacamole.GuacamoleException;
+import org.apache.guacamole.environment.Environment;
+import org.apache.guacamole.properties.ByteArrayProperty;
+import org.apache.guacamole.properties.StringGuacamoleProperty;
+import org.apache.guacamole.properties.StringListProperty;
Review Comment:
You can remove the blank lines.
##########
extensions/guacamole-auth-nextcloud/src/main/java/org/apache/guacamole/auth/nextcloud/NextcloudJwtAuthenticationProvider.java:
##########
@@ -0,0 +1,189 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.auth.nextcloud;
+
+import com.auth0.jwt.JWT;
+import com.auth0.jwt.JWTVerifier;
+import com.auth0.jwt.algorithms.Algorithm;
+import com.auth0.jwt.exceptions.JWTVerificationException;
+import com.auth0.jwt.interfaces.DecodedJWT;
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.google.inject.Guice;
+import com.google.inject.Inject;
+import com.google.inject.Injector;
+
+import java.nio.charset.StandardCharsets;
+import java.security.KeyFactory;
+import java.security.NoSuchAlgorithmException;
+import java.security.interfaces.ECPublicKey;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.X509EncodedKeySpec;
+import java.util.Base64;
+import java.util.Date;
+import javax.servlet.http.HttpServletRequest;
+
+import org.apache.guacamole.GuacamoleException;
+import org.apache.guacamole.net.auth.AbstractAuthenticationProvider;
+import org.apache.guacamole.net.auth.AuthenticatedUser;
+import org.apache.guacamole.net.auth.Credentials;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * Allows a pre-check of users with encrypted Nextcloud JWT data blocks.
+ * The username in the JWT will be compared with a list in
guacamole.properties.
+ * The JWT will be verified with the public key. If the JWT is valid, the login
+ * page will be loaded. If the JWT is missing or invalid, an exception message
+ * will be displayed.
+ */
+public class NextcloudJwtAuthenticationProvider extends
AbstractAuthenticationProvider {
+
+ private static final int MINUTES_TOKEN_VALID = 1;
+ /**
+ * Injector which will manage the object graph of this authentication
+ * provider.
+ */
+ private final Injector injector;
+
+ @Inject
+ private ConfigurationService confService;
+
+ private static final Logger logger =
LoggerFactory.getLogger(NextcloudJwtAuthenticationProvider.class);
+
+ /**
+ * Creates a new MextcloudJwtAuthenticationProvider that authenticates
user.
+ *
+ * @throws GuacamoleException
+ * If a required property is missing, or an error occurs while parsing
+ * a property.
+ */
+ public NextcloudJwtAuthenticationProvider() throws GuacamoleException {
+
+ // Set up Guice injector.
+ injector = Guice.createInjector(new
NextcloudJwtAuthenticationProviderModule(this));
+
+ }
+
+ @Override
+ public String getIdentifier() {
+ return "nextcloud";
+ }
+
+ @Override
+ public AuthenticatedUser authenticateUser(Credentials credentials) throws
GuacamoleException {
+
+ HttpServletRequest request = credentials.getRequest();
+
+ String token = request.getParameter("nctoken");
+ String ipaddr = request.getRemoteAddr();
+
+ boolean localAddr = this.validIpAddress(ipaddr);
+ if (localAddr) {
+ logger.info("Request from local address {}", ipaddr);
+ return null;
+ }
+
+ if (token == null) {
+ throw new GuacamoleException("Missing token.");
+ }
+
+ try {
+ boolean valid = this.isValidJWT(token);
+ if (!valid) {
+ throw new GuacamoleException("Token expired.");
+ }
+ logger.info("Token valid.");
+ } catch (final GuacamoleException ex) {
+ logger.error("Token validation failed.", ex);
+ throw new GuacamoleException(ex.getMessage());
+ }
+ return null;
+
+ }
+
+ /**
+ * Validates the provided JSON Web Token (JWT).
+ *
+ * This method decodes the public key from a base64 encoded string,
verifies the JWT using
+ * the ECDSA256 algorithm, and checks the token's validity period and user
permissions.
+ *
+ * @param token the JWT token to validate.
+ * @return {@code true} if the token is valid and the user is allowed,
{@code false} otherwise.
+ * @throws GuacamoleException if the user is not allowed or the token is
expired.
+ * @throws JWTVerificationException if the token verification fails.
+ * @throws NoSuchAlgorithmException if the algorithm for key generation is
not available.
+ * @throws InvalidKeySpecException if the key specification is invalid.
Review Comment:
This function actually does *not* throw anything except `GuacamoleException`
- all of the other exceptions you have captured and are simply doing a `return
false` in the `catch` block.
##########
extensions/guacamole-auth-nextcloud/src/main/java/org/apache/guacamole/auth/nextcloud/NextcloudJwtAuthenticationProvider.java:
##########
@@ -0,0 +1,189 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.auth.nextcloud;
+
+import com.auth0.jwt.JWT;
+import com.auth0.jwt.JWTVerifier;
+import com.auth0.jwt.algorithms.Algorithm;
+import com.auth0.jwt.exceptions.JWTVerificationException;
+import com.auth0.jwt.interfaces.DecodedJWT;
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.google.inject.Guice;
+import com.google.inject.Inject;
+import com.google.inject.Injector;
+
+import java.nio.charset.StandardCharsets;
+import java.security.KeyFactory;
+import java.security.NoSuchAlgorithmException;
+import java.security.interfaces.ECPublicKey;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.X509EncodedKeySpec;
+import java.util.Base64;
+import java.util.Date;
+import javax.servlet.http.HttpServletRequest;
+
+import org.apache.guacamole.GuacamoleException;
+import org.apache.guacamole.net.auth.AbstractAuthenticationProvider;
+import org.apache.guacamole.net.auth.AuthenticatedUser;
+import org.apache.guacamole.net.auth.Credentials;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * Allows a pre-check of users with encrypted Nextcloud JWT data blocks.
+ * The username in the JWT will be compared with a list in
guacamole.properties.
+ * The JWT will be verified with the public key. If the JWT is valid, the login
+ * page will be loaded. If the JWT is missing or invalid, an exception message
+ * will be displayed.
+ */
+public class NextcloudJwtAuthenticationProvider extends
AbstractAuthenticationProvider {
+
+ private static final int MINUTES_TOKEN_VALID = 1;
+ /**
+ * Injector which will manage the object graph of this authentication
+ * provider.
+ */
+ private final Injector injector;
+
+ @Inject
+ private ConfigurationService confService;
Review Comment:
This needs a comment.
##########
extensions/pom.xml:
##########
@@ -45,6 +45,7 @@
<module>guacamole-auth-header</module>
<module>guacamole-auth-jdbc</module>
<module>guacamole-auth-json</module>
+ <module>guacamole-auth-nextcloud</module>
Review Comment:
This should be moved down below `ldap` to maintain alphabetic sorting.
##########
extensions/guacamole-auth-nextcloud/src/main/java/org/apache/guacamole/auth/nextcloud/NextcloudJwtAuthenticationProvider.java:
##########
@@ -0,0 +1,189 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.auth.nextcloud;
+
+import com.auth0.jwt.JWT;
+import com.auth0.jwt.JWTVerifier;
+import com.auth0.jwt.algorithms.Algorithm;
+import com.auth0.jwt.exceptions.JWTVerificationException;
+import com.auth0.jwt.interfaces.DecodedJWT;
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.google.inject.Guice;
+import com.google.inject.Inject;
+import com.google.inject.Injector;
+
+import java.nio.charset.StandardCharsets;
+import java.security.KeyFactory;
+import java.security.NoSuchAlgorithmException;
+import java.security.interfaces.ECPublicKey;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.X509EncodedKeySpec;
+import java.util.Base64;
+import java.util.Date;
+import javax.servlet.http.HttpServletRequest;
+
+import org.apache.guacamole.GuacamoleException;
+import org.apache.guacamole.net.auth.AbstractAuthenticationProvider;
+import org.apache.guacamole.net.auth.AuthenticatedUser;
+import org.apache.guacamole.net.auth.Credentials;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * Allows a pre-check of users with encrypted Nextcloud JWT data blocks.
+ * The username in the JWT will be compared with a list in
guacamole.properties.
+ * The JWT will be verified with the public key. If the JWT is valid, the login
+ * page will be loaded. If the JWT is missing or invalid, an exception message
+ * will be displayed.
+ */
+public class NextcloudJwtAuthenticationProvider extends
AbstractAuthenticationProvider {
+
+ private static final int MINUTES_TOKEN_VALID = 1;
+ /**
+ * Injector which will manage the object graph of this authentication
+ * provider.
+ */
+ private final Injector injector;
+
+ @Inject
+ private ConfigurationService confService;
+
+ private static final Logger logger =
LoggerFactory.getLogger(NextcloudJwtAuthenticationProvider.class);
+
+ /**
+ * Creates a new MextcloudJwtAuthenticationProvider that authenticates
user.
+ *
+ * @throws GuacamoleException
+ * If a required property is missing, or an error occurs while parsing
+ * a property.
+ */
+ public NextcloudJwtAuthenticationProvider() throws GuacamoleException {
+
+ // Set up Guice injector.
+ injector = Guice.createInjector(new
NextcloudJwtAuthenticationProviderModule(this));
+
+ }
+
+ @Override
+ public String getIdentifier() {
+ return "nextcloud";
+ }
+
+ @Override
+ public AuthenticatedUser authenticateUser(Credentials credentials) throws
GuacamoleException {
+
+ HttpServletRequest request = credentials.getRequest();
+
+ String token = request.getParameter("nctoken");
Review Comment:
The `nctoken` value should likely be defined as a constant.
Also, is it _always_ `nctoken`, or are there any situations where this could
be configurable?
##########
extensions/guacamole-auth-nextcloud/src/main/java/org/apache/guacamole/auth/nextcloud/NextcloudJwtAuthenticationProvider.java:
##########
@@ -0,0 +1,189 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.auth.nextcloud;
+
+import com.auth0.jwt.JWT;
+import com.auth0.jwt.JWTVerifier;
+import com.auth0.jwt.algorithms.Algorithm;
+import com.auth0.jwt.exceptions.JWTVerificationException;
+import com.auth0.jwt.interfaces.DecodedJWT;
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.google.inject.Guice;
+import com.google.inject.Inject;
+import com.google.inject.Injector;
+
+import java.nio.charset.StandardCharsets;
+import java.security.KeyFactory;
+import java.security.NoSuchAlgorithmException;
+import java.security.interfaces.ECPublicKey;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.X509EncodedKeySpec;
+import java.util.Base64;
+import java.util.Date;
+import javax.servlet.http.HttpServletRequest;
+
+import org.apache.guacamole.GuacamoleException;
+import org.apache.guacamole.net.auth.AbstractAuthenticationProvider;
+import org.apache.guacamole.net.auth.AuthenticatedUser;
+import org.apache.guacamole.net.auth.Credentials;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * Allows a pre-check of users with encrypted Nextcloud JWT data blocks.
+ * The username in the JWT will be compared with a list in
guacamole.properties.
+ * The JWT will be verified with the public key. If the JWT is valid, the login
+ * page will be loaded. If the JWT is missing or invalid, an exception message
+ * will be displayed.
+ */
+public class NextcloudJwtAuthenticationProvider extends
AbstractAuthenticationProvider {
+
+ private static final int MINUTES_TOKEN_VALID = 1;
+ /**
+ * Injector which will manage the object graph of this authentication
+ * provider.
+ */
+ private final Injector injector;
+
+ @Inject
+ private ConfigurationService confService;
+
+ private static final Logger logger =
LoggerFactory.getLogger(NextcloudJwtAuthenticationProvider.class);
Review Comment:
This needs a comment.
##########
extensions/guacamole-auth-nextcloud/src/main/java/org/apache/guacamole/auth/nextcloud/RequestValidationService.java:
##########
@@ -0,0 +1,111 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.auth.nextcloud;
+
+import com.google.inject.Inject;
+
+import java.util.Collection;
+import javax.servlet.http.HttpServletRequest;
+import inet.ipaddr.IPAddressString;
+
+import org.apache.guacamole.GuacamoleException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
Review Comment:
`imports` should not be broken up like this, and they should be in
alphabetical order.
##########
extensions/guacamole-auth-nextcloud/src/main/java/org/apache/guacamole/auth/nextcloud/NextcloudJwtAuthenticationProvider.java:
##########
@@ -0,0 +1,189 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.auth.nextcloud;
+
+import com.auth0.jwt.JWT;
+import com.auth0.jwt.JWTVerifier;
+import com.auth0.jwt.algorithms.Algorithm;
+import com.auth0.jwt.exceptions.JWTVerificationException;
+import com.auth0.jwt.interfaces.DecodedJWT;
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.google.inject.Guice;
+import com.google.inject.Inject;
+import com.google.inject.Injector;
+
+import java.nio.charset.StandardCharsets;
+import java.security.KeyFactory;
+import java.security.NoSuchAlgorithmException;
+import java.security.interfaces.ECPublicKey;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.X509EncodedKeySpec;
+import java.util.Base64;
+import java.util.Date;
+import javax.servlet.http.HttpServletRequest;
+
+import org.apache.guacamole.GuacamoleException;
+import org.apache.guacamole.net.auth.AbstractAuthenticationProvider;
+import org.apache.guacamole.net.auth.AuthenticatedUser;
+import org.apache.guacamole.net.auth.Credentials;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
Review Comment:
No need to leave any blank lines in the `import` blocks.
##########
extensions/guacamole-auth-nextcloud/src/main/java/org/apache/guacamole/auth/nextcloud/NextcloudJwtAuthenticationProvider.java:
##########
@@ -0,0 +1,189 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.auth.nextcloud;
+
+import com.auth0.jwt.JWT;
+import com.auth0.jwt.JWTVerifier;
+import com.auth0.jwt.algorithms.Algorithm;
+import com.auth0.jwt.exceptions.JWTVerificationException;
+import com.auth0.jwt.interfaces.DecodedJWT;
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.google.inject.Guice;
+import com.google.inject.Inject;
+import com.google.inject.Injector;
+
+import java.nio.charset.StandardCharsets;
+import java.security.KeyFactory;
+import java.security.NoSuchAlgorithmException;
+import java.security.interfaces.ECPublicKey;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.X509EncodedKeySpec;
+import java.util.Base64;
+import java.util.Date;
+import javax.servlet.http.HttpServletRequest;
+
+import org.apache.guacamole.GuacamoleException;
+import org.apache.guacamole.net.auth.AbstractAuthenticationProvider;
+import org.apache.guacamole.net.auth.AuthenticatedUser;
+import org.apache.guacamole.net.auth.Credentials;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * Allows a pre-check of users with encrypted Nextcloud JWT data blocks.
+ * The username in the JWT will be compared with a list in
guacamole.properties.
+ * The JWT will be verified with the public key. If the JWT is valid, the login
+ * page will be loaded. If the JWT is missing or invalid, an exception message
+ * will be displayed.
+ */
+public class NextcloudJwtAuthenticationProvider extends
AbstractAuthenticationProvider {
+
+ private static final int MINUTES_TOKEN_VALID = 1;
Review Comment:
Missing comment for this property.
Also, should be a blank line between this line and the next one.
##########
extensions/guacamole-auth-nextcloud/src/main/java/org/apache/guacamole/auth/nextcloud/NextcloudJwtAuthenticationProvider.java:
##########
@@ -0,0 +1,189 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.auth.nextcloud;
+
+import com.auth0.jwt.JWT;
+import com.auth0.jwt.JWTVerifier;
+import com.auth0.jwt.algorithms.Algorithm;
+import com.auth0.jwt.exceptions.JWTVerificationException;
+import com.auth0.jwt.interfaces.DecodedJWT;
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.google.inject.Guice;
+import com.google.inject.Inject;
+import com.google.inject.Injector;
+
+import java.nio.charset.StandardCharsets;
+import java.security.KeyFactory;
+import java.security.NoSuchAlgorithmException;
+import java.security.interfaces.ECPublicKey;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.X509EncodedKeySpec;
+import java.util.Base64;
+import java.util.Date;
+import javax.servlet.http.HttpServletRequest;
+
+import org.apache.guacamole.GuacamoleException;
+import org.apache.guacamole.net.auth.AbstractAuthenticationProvider;
+import org.apache.guacamole.net.auth.AuthenticatedUser;
+import org.apache.guacamole.net.auth.Credentials;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * Allows a pre-check of users with encrypted Nextcloud JWT data blocks.
+ * The username in the JWT will be compared with a list in
guacamole.properties.
+ * The JWT will be verified with the public key. If the JWT is valid, the login
+ * page will be loaded. If the JWT is missing or invalid, an exception message
+ * will be displayed.
+ */
+public class NextcloudJwtAuthenticationProvider extends
AbstractAuthenticationProvider {
+
+ private static final int MINUTES_TOKEN_VALID = 1;
+ /**
+ * Injector which will manage the object graph of this authentication
+ * provider.
+ */
+ private final Injector injector;
+
+ @Inject
+ private ConfigurationService confService;
+
+ private static final Logger logger =
LoggerFactory.getLogger(NextcloudJwtAuthenticationProvider.class);
+
+ /**
+ * Creates a new MextcloudJwtAuthenticationProvider that authenticates
user.
+ *
+ * @throws GuacamoleException
+ * If a required property is missing, or an error occurs while parsing
+ * a property.
+ */
+ public NextcloudJwtAuthenticationProvider() throws GuacamoleException {
+
+ // Set up Guice injector.
+ injector = Guice.createInjector(new
NextcloudJwtAuthenticationProviderModule(this));
+
+ }
+
+ @Override
+ public String getIdentifier() {
+ return "nextcloud";
+ }
+
+ @Override
+ public AuthenticatedUser authenticateUser(Credentials credentials) throws
GuacamoleException {
+
+ HttpServletRequest request = credentials.getRequest();
+
+ String token = request.getParameter("nctoken");
+ String ipaddr = request.getRemoteAddr();
+
+ boolean localAddr = this.validIpAddress(ipaddr);
+ if (localAddr) {
+ logger.info("Request from local address {}", ipaddr);
+ return null;
+ }
+
+ if (token == null) {
+ throw new GuacamoleException("Missing token.");
+ }
+
+ try {
+ boolean valid = this.isValidJWT(token);
+ if (!valid) {
+ throw new GuacamoleException("Token expired.");
+ }
+ logger.info("Token valid.");
+ } catch (final GuacamoleException ex) {
+ logger.error("Token validation failed.", ex);
+ throw new GuacamoleException(ex.getMessage());
+ }
+ return null;
+
+ }
+
+ /**
+ * Validates the provided JSON Web Token (JWT).
+ *
+ * This method decodes the public key from a base64 encoded string,
verifies the JWT using
+ * the ECDSA256 algorithm, and checks the token's validity period and user
permissions.
+ *
+ * @param token the JWT token to validate.
+ * @return {@code true} if the token is valid and the user is allowed,
{@code false} otherwise.
+ * @throws GuacamoleException if the user is not allowed or the token is
expired.
+ * @throws JWTVerificationException if the token verification fails.
+ * @throws NoSuchAlgorithmException if the algorithm for key generation is
not available.
+ * @throws InvalidKeySpecException if the key specification is invalid.
+ */
+ private boolean isValidJWT(final String token) throws GuacamoleException {
+ try {
+ byte[] keyBytes =
Base64.getDecoder().decode(confService.getPublicKey());
+ KeyFactory keyFactory = KeyFactory.getInstance("EC");
+ X509EncodedKeySpec keySpec = new X509EncodedKeySpec(keyBytes);
+ ECPublicKey publicKey = (ECPublicKey)
keyFactory.generatePublic(keySpec);
+
+ JWTVerifier verifier =
JWT.require(Algorithm.ECDSA256(publicKey)).build();
+ DecodedJWT decodedJWT = verifier.verify(token);
+
+ Date currentDate = new Date();
+ Date maxValidDate = new Date(currentDate.getTime() -
(MINUTES_TOKEN_VALID * 60 * 1000));
+ boolean isUserAllowed =
this.isUserAllowed(decodedJWT.getPayload());
+ if (!isUserAllowed) {
+ throw new GuacamoleException("User not allowed.");
+ }
+
+ boolean isValidToken =
decodedJWT.getExpiresAt().after(maxValidDate);
+ if (!isValidToken) {
+ throw new GuacamoleException("User not allowed.");
+ }
+
+ return true;
+ } catch (final JWTVerificationException | NoSuchAlgorithmException |
InvalidKeySpecException ex) {
+ logger.error("Token validation failed.", ex);
+ return false;
+ }
+ }
+
+ private boolean validIpAddress(final String ipAddress) throws
GuacamoleException {
Review Comment:
As @jmuehlner indicated, please document this method - both declaration and
throughout the code.
##########
extensions/guacamole-auth-nextcloud/src/main/java/org/apache/guacamole/auth/nextcloud/NextcloudJwtAuthenticationProvider.java:
##########
@@ -0,0 +1,176 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.auth.nextcloud;
+
+import com.auth0.jwt.JWT;
+import com.auth0.jwt.JWTVerifier;
+import com.auth0.jwt.algorithms.Algorithm;
+import com.auth0.jwt.exceptions.JWTVerificationException;
+import com.auth0.jwt.interfaces.DecodedJWT;
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.google.inject.Guice;
+import com.google.inject.Inject;
+import com.google.inject.Injector;
+
+import java.nio.charset.StandardCharsets;
+import java.security.KeyFactory;
+import java.security.NoSuchAlgorithmException;
+import java.security.interfaces.ECPublicKey;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.X509EncodedKeySpec;
+import java.util.Base64;
+import java.util.Date;
+import javax.servlet.http.HttpServletRequest;
+
+import org.apache.guacamole.GuacamoleException;
+import org.apache.guacamole.net.auth.AbstractAuthenticationProvider;
+import org.apache.guacamole.net.auth.AuthenticatedUser;
+import org.apache.guacamole.net.auth.Credentials;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * Allows a pre-check of users with encrypted Nextcloud JWT data blocks.
+ * The username in the JWT will be compared with a list in
guacamole.properties.
+ * The JWT will be verified with the public key. If the JWT is valid, the login
+ * page will be loaded. If the JWT is missing or invalid, an exception message
+ * will be displayed.
+ */
+public class NextcloudJwtAuthenticationProvider extends
AbstractAuthenticationProvider {
+
+ private static final int MINUTES_TOKEN_VALID = 1;
+ /**
+ * Injector which will manage the object graph of this authentication
+ * provider.
+ */
+ private final Injector injector;
+
+ @Inject
+ private ConfigurationService confService;
+
+ private static final Logger logger =
LoggerFactory.getLogger(NextcloudJwtAuthenticationProvider.class);
+
+ /**
+ * Creates a new MextcloudJwtAuthenticationProvider that authenticates
user.
+ *
+ * @throws GuacamoleException
+ * If a required property is missing, or an error occurs while parsing
+ * a property.
+ */
+ public NextcloudJwtAuthenticationProvider() throws GuacamoleException {
+
+ // Set up Guice injector.
+ injector = Guice.createInjector(new
NextcloudJwtAuthenticationProviderModule(this));
+
+ }
+
+ @Override
+ public String getIdentifier() {
+ return "nextcloud";
+ }
+
+ @Override
+ public AuthenticatedUser authenticateUser(Credentials credentials) throws
GuacamoleException {
+
+ HttpServletRequest request = credentials.getRequest();
+
+ String token = request.getParameter("nctoken");
+ String ipaddr = request.getRemoteAddr();
+
+ boolean localAddr = this.validIpAddress(ipaddr);
+ if (localAddr) {
+ logger.info("Request from local address {}", ipaddr);
+ return null;
+ }
+
+ if (token == null) {
+ throw new GuacamoleException("Missing token.");
+ }
+
+ try {
+ boolean valid = this.isValidJWT(token);
+ if (!valid) {
+ throw new GuacamoleException("Token expired.");
+ }
+ logger.info("Token valid.");
+ } catch (final GuacamoleException ex) {
+ logger.error("Token validation failed.", ex);
+ throw new GuacamoleException(ex.getMessage());
+ }
+ return null;
+
+ }
+
+ private boolean isValidJWT(final String token) throws GuacamoleException {
Review Comment:
The formatting on this documentation needs to follow standards used
elsewhere in the code - for example:
```
* @param token
* The JWT token to validate.
```
##########
extensions/guacamole-auth-nextcloud/src/main/java/org/apache/guacamole/auth/nextcloud/NextcloudJwtAuthenticationProvider.java:
##########
@@ -0,0 +1,189 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.auth.nextcloud;
+
+import com.auth0.jwt.JWT;
+import com.auth0.jwt.JWTVerifier;
+import com.auth0.jwt.algorithms.Algorithm;
+import com.auth0.jwt.exceptions.JWTVerificationException;
+import com.auth0.jwt.interfaces.DecodedJWT;
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.google.inject.Guice;
+import com.google.inject.Inject;
+import com.google.inject.Injector;
+
+import java.nio.charset.StandardCharsets;
+import java.security.KeyFactory;
+import java.security.NoSuchAlgorithmException;
+import java.security.interfaces.ECPublicKey;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.X509EncodedKeySpec;
+import java.util.Base64;
+import java.util.Date;
+import javax.servlet.http.HttpServletRequest;
+
+import org.apache.guacamole.GuacamoleException;
+import org.apache.guacamole.net.auth.AbstractAuthenticationProvider;
+import org.apache.guacamole.net.auth.AuthenticatedUser;
+import org.apache.guacamole.net.auth.Credentials;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * Allows a pre-check of users with encrypted Nextcloud JWT data blocks.
+ * The username in the JWT will be compared with a list in
guacamole.properties.
+ * The JWT will be verified with the public key. If the JWT is valid, the login
+ * page will be loaded. If the JWT is missing or invalid, an exception message
+ * will be displayed.
+ */
+public class NextcloudJwtAuthenticationProvider extends
AbstractAuthenticationProvider {
+
+ private static final int MINUTES_TOKEN_VALID = 1;
+ /**
+ * Injector which will manage the object graph of this authentication
+ * provider.
+ */
+ private final Injector injector;
+
+ @Inject
+ private ConfigurationService confService;
+
+ private static final Logger logger =
LoggerFactory.getLogger(NextcloudJwtAuthenticationProvider.class);
+
+ /**
+ * Creates a new MextcloudJwtAuthenticationProvider that authenticates
user.
+ *
+ * @throws GuacamoleException
+ * If a required property is missing, or an error occurs while parsing
+ * a property.
+ */
+ public NextcloudJwtAuthenticationProvider() throws GuacamoleException {
+
+ // Set up Guice injector.
+ injector = Guice.createInjector(new
NextcloudJwtAuthenticationProviderModule(this));
+
+ }
+
+ @Override
+ public String getIdentifier() {
+ return "nextcloud";
+ }
+
+ @Override
+ public AuthenticatedUser authenticateUser(Credentials credentials) throws
GuacamoleException {
+
+ HttpServletRequest request = credentials.getRequest();
+
+ String token = request.getParameter("nctoken");
+ String ipaddr = request.getRemoteAddr();
+
+ boolean localAddr = this.validIpAddress(ipaddr);
+ if (localAddr) {
+ logger.info("Request from local address {}", ipaddr);
+ return null;
+ }
+
+ if (token == null) {
+ throw new GuacamoleException("Missing token.");
+ }
+
+ try {
+ boolean valid = this.isValidJWT(token);
+ if (!valid) {
+ throw new GuacamoleException("Token expired.");
+ }
+ logger.info("Token valid.");
+ } catch (final GuacamoleException ex) {
+ logger.error("Token validation failed.", ex);
+ throw new GuacamoleException(ex.getMessage());
+ }
+ return null;
+
+ }
+
+ /**
+ * Validates the provided JSON Web Token (JWT).
+ *
+ * This method decodes the public key from a base64 encoded string,
verifies the JWT using
+ * the ECDSA256 algorithm, and checks the token's validity period and user
permissions.
+ *
+ * @param token the JWT token to validate.
+ * @return {@code true} if the token is valid and the user is allowed,
{@code false} otherwise.
+ * @throws GuacamoleException if the user is not allowed or the token is
expired.
+ * @throws JWTVerificationException if the token verification fails.
+ * @throws NoSuchAlgorithmException if the algorithm for key generation is
not available.
+ * @throws InvalidKeySpecException if the key specification is invalid.
+ */
+ private boolean isValidJWT(final String token) throws GuacamoleException {
+ try {
+ byte[] keyBytes =
Base64.getDecoder().decode(confService.getPublicKey());
+ KeyFactory keyFactory = KeyFactory.getInstance("EC");
+ X509EncodedKeySpec keySpec = new X509EncodedKeySpec(keyBytes);
+ ECPublicKey publicKey = (ECPublicKey)
keyFactory.generatePublic(keySpec);
+
+ JWTVerifier verifier =
JWT.require(Algorithm.ECDSA256(publicKey)).build();
+ DecodedJWT decodedJWT = verifier.verify(token);
+
+ Date currentDate = new Date();
+ Date maxValidDate = new Date(currentDate.getTime() -
(MINUTES_TOKEN_VALID * 60 * 1000));
+ boolean isUserAllowed =
this.isUserAllowed(decodedJWT.getPayload());
+ if (!isUserAllowed) {
+ throw new GuacamoleException("User not allowed.");
+ }
+
+ boolean isValidToken =
decodedJWT.getExpiresAt().after(maxValidDate);
+ if (!isValidToken) {
+ throw new GuacamoleException("User not allowed.");
+ }
+
+ return true;
+ } catch (final JWTVerificationException | NoSuchAlgorithmException |
InvalidKeySpecException ex) {
+ logger.error("Token validation failed.", ex);
+ return false;
+ }
+ }
+
+ private boolean validIpAddress(final String ipAddress) throws
GuacamoleException {
+
+ if (confService.getTrustedNetworks().contains(ipAddress)) {
+ logger.info("{} in list of allowed IP addresses.", ipAddress);
+ return true;
+ }
+ logger.warn("{} not in list of allowed IP addresses.", ipAddress);
+ return false;
+ }
+
+ private boolean isUserAllowed(final String payload) {
Review Comment:
Same with this one - please document.
##########
extensions/guacamole-auth-nextcloud/src/main/java/org/apache/guacamole/auth/nextcloud/NextcloudJwtAuthenticationProvider.java:
##########
@@ -0,0 +1,176 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.auth.nextcloud;
+
+import com.auth0.jwt.JWT;
+import com.auth0.jwt.JWTVerifier;
+import com.auth0.jwt.algorithms.Algorithm;
+import com.auth0.jwt.exceptions.JWTVerificationException;
+import com.auth0.jwt.interfaces.DecodedJWT;
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.google.inject.Guice;
+import com.google.inject.Inject;
+import com.google.inject.Injector;
+
+import java.nio.charset.StandardCharsets;
+import java.security.KeyFactory;
+import java.security.NoSuchAlgorithmException;
+import java.security.interfaces.ECPublicKey;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.X509EncodedKeySpec;
+import java.util.Base64;
+import java.util.Date;
+import javax.servlet.http.HttpServletRequest;
+
+import org.apache.guacamole.GuacamoleException;
+import org.apache.guacamole.net.auth.AbstractAuthenticationProvider;
+import org.apache.guacamole.net.auth.AuthenticatedUser;
+import org.apache.guacamole.net.auth.Credentials;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * Allows a pre-check of users with encrypted Nextcloud JWT data blocks.
+ * The username in the JWT will be compared with a list in
guacamole.properties.
+ * The JWT will be verified with the public key. If the JWT is valid, the login
+ * page will be loaded. If the JWT is missing or invalid, an exception message
+ * will be displayed.
+ */
+public class NextcloudJwtAuthenticationProvider extends
AbstractAuthenticationProvider {
+
+ private static final int MINUTES_TOKEN_VALID = 1;
+ /**
+ * Injector which will manage the object graph of this authentication
+ * provider.
+ */
+ private final Injector injector;
+
+ @Inject
+ private ConfigurationService confService;
+
+ private static final Logger logger =
LoggerFactory.getLogger(NextcloudJwtAuthenticationProvider.class);
+
+ /**
+ * Creates a new MextcloudJwtAuthenticationProvider that authenticates
user.
+ *
+ * @throws GuacamoleException
+ * If a required property is missing, or an error occurs while parsing
+ * a property.
+ */
+ public NextcloudJwtAuthenticationProvider() throws GuacamoleException {
+
+ // Set up Guice injector.
+ injector = Guice.createInjector(new
NextcloudJwtAuthenticationProviderModule(this));
+
+ }
+
+ @Override
+ public String getIdentifier() {
+ return "nextcloud";
+ }
+
+ @Override
+ public AuthenticatedUser authenticateUser(Credentials credentials) throws
GuacamoleException {
+
+ HttpServletRequest request = credentials.getRequest();
+
+ String token = request.getParameter("nctoken");
+ String ipaddr = request.getRemoteAddr();
+
+ boolean localAddr = this.validIpAddress(ipaddr);
+ if (localAddr) {
+ logger.info("Request from local address {}", ipaddr);
+ return null;
+ }
+
+ if (token == null) {
+ throw new GuacamoleException("Missing token.");
+ }
+
+ try {
+ boolean valid = this.isValidJWT(token);
+ if (!valid) {
+ throw new GuacamoleException("Token expired.");
+ }
+ logger.info("Token valid.");
+ } catch (final GuacamoleException ex) {
+ logger.error("Token validation failed.", ex);
+ throw new GuacamoleException(ex.getMessage());
+ }
+ return null;
+
+ }
+
+ private boolean isValidJWT(final String token) throws GuacamoleException {
Review Comment:
Also, in addition to the documentation at the method declaration, it might
be nice to have some comments throughout the code.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@guacamole.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
