GUACAMOLE-136: Remove DuoWeb Java API from codebase. Re-implement cleanly from scratch.
Project: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/commit/9056bb0f Tree: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/tree/9056bb0f Diff: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/diff/9056bb0f Branch: refs/heads/master Commit: 9056bb0f4f44192866fe52c66d55d0a501375e3d Parents: cf6a2b8 Author: Michael Jumper <[email protected]> Authored: Sat Dec 10 01:06:04 2016 -0800 Committer: Michael Jumper <[email protected]> Committed: Sat Dec 10 18:53:55 2016 -0800 ---------------------------------------------------------------------- .../java/com/duosecurity/duoweb/Base64.java | 1500 ------------------ .../java/com/duosecurity/duoweb/DuoWeb.java | 138 -- .../com/duosecurity/duoweb/DuoWebException.java | 8 - .../main/java/com/duosecurity/duoweb/Util.java | 26 - .../duo/DuoAuthenticationProviderModule.java | 3 +- .../guacamole/auth/duo/DuoWebService.java | 212 --- .../auth/duo/UserVerificationService.java | 9 +- .../guacamole/auth/duo/api/DuoCookie.java | 245 +++ .../guacamole/auth/duo/api/DuoService.java | 205 +++ .../guacamole/auth/duo/api/SignedDuoCookie.java | 332 ++++ 10 files changed, 789 insertions(+), 1889 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/9056bb0f/extensions/guacamole-auth-duo/src/main/java/com/duosecurity/duoweb/Base64.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-duo/src/main/java/com/duosecurity/duoweb/Base64.java b/extensions/guacamole-auth-duo/src/main/java/com/duosecurity/duoweb/Base64.java deleted file mode 100644 index 8f25477..0000000 --- a/extensions/guacamole-auth-duo/src/main/java/com/duosecurity/duoweb/Base64.java +++ /dev/null @@ -1,1500 +0,0 @@ -package com.duosecurity.duoweb; - -public class Base64 { - - /* ******** P U B L I C F I E L D S ******** */ - - /** No options specified. Value is zero. */ - public final static int NO_OPTIONS = 0; - - /** Specify encoding in first bit. Value is one. */ - public final static int ENCODE = 1; - - /** Specify decoding in first bit. Value is zero. */ - public final static int DECODE = 0; - - /** Specify that data should be gzip-compressed in second bit. Value is two. */ - public final static int GZIP = 2; - - /** - * Specify that gzipped data should <em>not</em> be automatically gunzipped. - */ - public final static int DONT_GUNZIP = 4; - - /** Do break lines when encoding. Value is 8. */ - public final static int DO_BREAK_LINES = 8; - - /** - * Encode using Base64-like encoding that is URL- and Filename-safe as - * described in Section 4 of RFC3548: <a - * href="http://www.faqs.org/rfcs/rfc3548.html"; - * >http://www.faqs.org/rfcs/rfc3548.html</a>. It is important to note that - * data encoded this way is <em>not</em> officially valid Base64, or at the - * very least should not be called Base64 without also specifying that is - * was encoded using the URL- and Filename-safe dialect. - */ - public final static int URL_SAFE = 16; - - /** - * Encode using the special "ordered" dialect of Base64 described here: <a - * href="http://www.faqs.org/qa/rfcc-1940.html";>http://www.faqs.org/qa/rfcc- - * 1940.html</a>. - */ - public final static int ORDERED = 32; - - /* ******** P R I V A T E F I E L D S ******** */ - - /** Maximum line length (76) of Base64 output. */ - private final static int MAX_LINE_LENGTH = 76; - - /** The equals sign (=) as a byte. */ - private final static byte EQUALS_SIGN = (byte) '='; - - /** The new line character (\n) as a byte. */ - private final static byte NEW_LINE = (byte) '\n'; - - /** Preferred encoding. */ - private final static String PREFERRED_ENCODING = "US-ASCII"; - - private final static byte WHITE_SPACE_ENC = -5; // Indicates white space in - // encoding - private final static byte EQUALS_SIGN_ENC = -1; // Indicates equals sign in - // encoding - - /* ******** S T A N D A R D B A S E 6 4 A L P H A B E T ******** */ - - /** The 64 valid Base64 values. */ - /* - * Host platform me be something funny like EBCDIC, so we hardcode these - * values. - */ - private final static byte[] _STANDARD_ALPHABET = { (byte) 'A', (byte) 'B', - (byte) 'C', (byte) 'D', (byte) 'E', (byte) 'F', (byte) 'G', - (byte) 'H', (byte) 'I', (byte) 'J', (byte) 'K', (byte) 'L', - (byte) 'M', (byte) 'N', (byte) 'O', (byte) 'P', (byte) 'Q', - (byte) 'R', (byte) 'S', (byte) 'T', (byte) 'U', (byte) 'V', - (byte) 'W', (byte) 'X', (byte) 'Y', (byte) 'Z', (byte) 'a', - (byte) 'b', (byte) 'c', (byte) 'd', (byte) 'e', (byte) 'f', - (byte) 'g', (byte) 'h', (byte) 'i', (byte) 'j', (byte) 'k', - (byte) 'l', (byte) 'm', (byte) 'n', (byte) 'o', (byte) 'p', - (byte) 'q', (byte) 'r', (byte) 's', (byte) 't', (byte) 'u', - (byte) 'v', (byte) 'w', (byte) 'x', (byte) 'y', (byte) 'z', - (byte) '0', (byte) '1', (byte) '2', (byte) '3', (byte) '4', - (byte) '5', (byte) '6', (byte) '7', (byte) '8', (byte) '9', - (byte) '+', (byte) '/' }; - - /** - * Translates a Base64 value to either its 6-bit reconstruction value or a - * negative number indicating some other meaning. - **/ - private final static byte[] _STANDARD_DECODABET = { -9, -9, -9, -9, -9, -9, - -9, -9, -9, // Decimal 0 - 8 - -5, -5, // Whitespace: Tab and Linefeed - -9, -9, // Decimal 11 - 12 - -5, // Whitespace: Carriage Return - -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 14 - - // 26 - -9, -9, -9, -9, -9, // Decimal 27 - 31 - -5, // Whitespace: Space - -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 33 - 42 - 62, // Plus sign at decimal 43 - -9, -9, -9, // Decimal 44 - 46 - 63, // Slash at decimal 47 - 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, // Numbers zero through nine - -9, -9, -9, // Decimal 58 - 60 - -1, // Equals sign at decimal 61 - -9, -9, -9, // Decimal 62 - 64 - 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, // Letters 'A' through - // 'N' - 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, // Letters 'O' - // through 'Z' - -9, -9, -9, -9, -9, -9, // Decimal 91 - 96 - 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, // Letters 'a' - // through 'm' - 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, // Letters 'n' - // through 'z' - -9, -9, -9, -9, -9 // Decimal 123 - 127 - , -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 128 - - // 139 - -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 140 - - // 152 - -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 153 - - // 165 - -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 166 - - // 178 - -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 179 - - // 191 - -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 192 - - // 204 - -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 205 - - // 217 - -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 218 - - // 230 - -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 231 - - // 243 - -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9 // Decimal 244 - 255 - }; - - /* ******** U R L S A F E B A S E 6 4 A L P H A B E T ******** */ - - /** - * Used in the URL- and Filename-safe dialect described in Section 4 of - * RFC3548: <a - * href="http://www.faqs.org/rfcs/rfc3548.html";>http://www.faqs.org - * /rfcs/rfc3548.html</a>. Notice that the last two bytes become "hyphen" - * and "underscore" instead of "plus" and "slash." - */ - private final static byte[] _URL_SAFE_ALPHABET = { (byte) 'A', (byte) 'B', - (byte) 'C', (byte) 'D', (byte) 'E', (byte) 'F', (byte) 'G', - (byte) 'H', (byte) 'I', (byte) 'J', (byte) 'K', (byte) 'L', - (byte) 'M', (byte) 'N', (byte) 'O', (byte) 'P', (byte) 'Q', - (byte) 'R', (byte) 'S', (byte) 'T', (byte) 'U', (byte) 'V', - (byte) 'W', (byte) 'X', (byte) 'Y', (byte) 'Z', (byte) 'a', - (byte) 'b', (byte) 'c', (byte) 'd', (byte) 'e', (byte) 'f', - (byte) 'g', (byte) 'h', (byte) 'i', (byte) 'j', (byte) 'k', - (byte) 'l', (byte) 'm', (byte) 'n', (byte) 'o', (byte) 'p', - (byte) 'q', (byte) 'r', (byte) 's', (byte) 't', (byte) 'u', - (byte) 'v', (byte) 'w', (byte) 'x', (byte) 'y', (byte) 'z', - (byte) '0', (byte) '1', (byte) '2', (byte) '3', (byte) '4', - (byte) '5', (byte) '6', (byte) '7', (byte) '8', (byte) '9', - (byte) '-', (byte) '_' }; - - /** - * Used in decoding URL- and Filename-safe dialects of Base64. - */ - private final static byte[] _URL_SAFE_DECODABET = { -9, -9, -9, -9, -9, -9, - -9, -9, -9, // Decimal 0 - 8 - -5, -5, // Whitespace: Tab and Linefeed - -9, -9, // Decimal 11 - 12 - -5, // Whitespace: Carriage Return - -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 14 - - // 26 - -9, -9, -9, -9, -9, // Decimal 27 - 31 - -5, // Whitespace: Space - -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 33 - 42 - -9, // Plus sign at decimal 43 - -9, // Decimal 44 - 62, // Minus sign at decimal 45 - -9, // Decimal 46 - -9, // Slash at decimal 47 - 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, // Numbers zero through nine - -9, -9, -9, // Decimal 58 - 60 - -1, // Equals sign at decimal 61 - -9, -9, -9, // Decimal 62 - 64 - 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, // Letters 'A' through - // 'N' - 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, // Letters 'O' - // through 'Z' - -9, -9, -9, -9, // Decimal 91 - 94 - 63, // Underscore at decimal 95 - -9, // Decimal 96 - 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, // Letters 'a' - // through 'm' - 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, // Letters 'n' - // through 'z' - -9, -9, -9, -9, -9 // Decimal 123 - 127 - , -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 128 - - // 139 - -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 140 - - // 152 - -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 153 - - // 165 - -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 166 - - // 178 - -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 179 - - // 191 - -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 192 - - // 204 - -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 205 - - // 217 - -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 218 - - // 230 - -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 231 - - // 243 - -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9 // Decimal 244 - 255 - }; - - /* ******** O R D E R E D B A S E 6 4 A L P H A B E T ******** */ - - /** - * I don't get the point of this technique, but someone requested it, and it - * is described here: <a - * href="http://www.faqs.org/qa/rfcc-1940.html";>http:// - * www.faqs.org/qa/rfcc-1940.html</a>. - */ - private final static byte[] _ORDERED_ALPHABET = { (byte) '-', (byte) '0', - (byte) '1', (byte) '2', (byte) '3', (byte) '4', (byte) '5', - (byte) '6', (byte) '7', (byte) '8', (byte) '9', (byte) 'A', - (byte) 'B', (byte) 'C', (byte) 'D', (byte) 'E', (byte) 'F', - (byte) 'G', (byte) 'H', (byte) 'I', (byte) 'J', (byte) 'K', - (byte) 'L', (byte) 'M', (byte) 'N', (byte) 'O', (byte) 'P', - (byte) 'Q', (byte) 'R', (byte) 'S', (byte) 'T', (byte) 'U', - (byte) 'V', (byte) 'W', (byte) 'X', (byte) 'Y', (byte) 'Z', - (byte) '_', (byte) 'a', (byte) 'b', (byte) 'c', (byte) 'd', - (byte) 'e', (byte) 'f', (byte) 'g', (byte) 'h', (byte) 'i', - (byte) 'j', (byte) 'k', (byte) 'l', (byte) 'm', (byte) 'n', - (byte) 'o', (byte) 'p', (byte) 'q', (byte) 'r', (byte) 's', - (byte) 't', (byte) 'u', (byte) 'v', (byte) 'w', (byte) 'x', - (byte) 'y', (byte) 'z' }; - - /** - * Used in decoding the "ordered" dialect of Base64. - */ - private final static byte[] _ORDERED_DECODABET = { -9, -9, -9, -9, -9, -9, - -9, -9, -9, // Decimal 0 - 8 - -5, -5, // Whitespace: Tab and Linefeed - -9, -9, // Decimal 11 - 12 - -5, // Whitespace: Carriage Return - -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 14 - - // 26 - -9, -9, -9, -9, -9, // Decimal 27 - 31 - -5, // Whitespace: Space - -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 33 - 42 - -9, // Plus sign at decimal 43 - -9, // Decimal 44 - 0, // Minus sign at decimal 45 - -9, // Decimal 46 - -9, // Slash at decimal 47 - 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, // Numbers zero through nine - -9, -9, -9, // Decimal 58 - 60 - -1, // Equals sign at decimal 61 - -9, -9, -9, // Decimal 62 - 64 - 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, // Letters 'A' - // through 'M' - 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, // Letters 'N' - // through 'Z' - -9, -9, -9, -9, // Decimal 91 - 94 - 37, // Underscore at decimal 95 - -9, // Decimal 96 - 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, // Letters 'a' - // through 'm' - 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, // Letters 'n' - // through 'z' - -9, -9, -9, -9, -9 // Decimal 123 - 127 - , -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 128 - // - 139 - -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 140 - - // 152 - -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 153 - - // 165 - -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 166 - - // 178 - -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 179 - - // 191 - -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 192 - - // 204 - -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 205 - - // 217 - -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 218 - - // 230 - -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 231 - - // 243 - -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9 // Decimal 244 - 255 - }; - - /* ******** D E T E R M I N E W H I C H A L H A B E T ******** */ - - /** - * Returns one of the _SOMETHING_ALPHABET byte arrays depending on the - * options specified. It's possible, though silly, to specify ORDERED - * <b>and</b> URLSAFE in which case one of them will be picked, though there - * is no guarantee as to which one will be picked. - */ - private final static byte[] getAlphabet(int options) { - if ((options & URL_SAFE) == URL_SAFE) { - return _URL_SAFE_ALPHABET; - } else if ((options & ORDERED) == ORDERED) { - return _ORDERED_ALPHABET; - } else { - return _STANDARD_ALPHABET; - } - } // end getAlphabet - - /** - * Returns one of the _SOMETHING_DECODABET byte arrays depending on the - * options specified. It's possible, though silly, to specify ORDERED and - * URL_SAFE in which case one of them will be picked, though there is no - * guarantee as to which one will be picked. - */ - private final static byte[] getDecodabet(int options) { - if ((options & URL_SAFE) == URL_SAFE) { - return _URL_SAFE_DECODABET; - } else if ((options & ORDERED) == ORDERED) { - return _ORDERED_DECODABET; - } else { - return _STANDARD_DECODABET; - } - } // end getAlphabet - - /** Defeats instantiation. */ - private Base64() { - } - - /* ******** E N C O D I N G M E T H O D S ******** */ - - /** - * Encodes up to the first three bytes of array <var>threeBytes</var> and - * returns a four-byte array in Base64 notation. The actual number of - * significant bytes in your array is given by <var>numSigBytes</var>. The - * array <var>threeBytes</var> needs only be as big as - * <var>numSigBytes</var>. Code can reuse a byte array by passing a - * four-byte array as <var>b4</var>. - * - * @param b4 - * A reusable byte array to reduce array instantiation - * @param threeBytes - * the array to convert - * @param numSigBytes - * the number of significant bytes in your array - * @return four byte array in Base64 notation. - * @since 1.5.1 - */ - private static byte[] encode3to4(byte[] b4, byte[] threeBytes, - int numSigBytes, int options) { - encode3to4(threeBytes, 0, numSigBytes, b4, 0, options); - return b4; - } // end encode3to4 - - /** - * <p> - * Encodes up to three bytes of the array <var>source</var> and writes the - * resulting four Base64 bytes to <var>destination</var>. The source and - * destination arrays can be manipulated anywhere along their length by - * specifying <var>srcOffset</var> and <var>destOffset</var>. This method - * does not check to make sure your arrays are large enough to accomodate - * <var>srcOffset</var> + 3 for the <var>source</var> array or - * <var>destOffset</var> + 4 for the <var>destination</var> array. The - * actual number of significant bytes in your array is given by - * <var>numSigBytes</var>. - * </p> - * <p> - * This is the lowest level of the encoding methods with all possible - * parameters. - * </p> - * - * @param source - * the array to convert - * @param srcOffset - * the index where conversion begins - * @param numSigBytes - * the number of significant bytes in your array - * @param destination - * the array to hold the conversion - * @param destOffset - * the index where output will be put - * @return the <var>destination</var> array - * @since 1.3 - */ - private static byte[] encode3to4(byte[] source, int srcOffset, - int numSigBytes, byte[] destination, int destOffset, int options) { - - byte[] ALPHABET = getAlphabet(options); - - // 1 2 3 - // 01234567890123456789012345678901 Bit position - // --------000000001111111122222222 Array position from threeBytes - // --------| || || || | Six bit groups to index ALPHABET - // >>18 >>12 >> 6 >> 0 Right shift necessary - // 0x3f 0x3f 0x3f Additional AND - - // Create buffer with zero-padding if there are only one or two - // significant bytes passed in the array. - // We have to shift left 24 in order to flush out the 1's that appear - // when Java treats a value as negative that is cast from a byte to an - // int. - int inBuff = (numSigBytes > 0 ? ((source[srcOffset] << 24) >>> 8) : 0) - | (numSigBytes > 1 ? ((source[srcOffset + 1] << 24) >>> 16) : 0) - | (numSigBytes > 2 ? ((source[srcOffset + 2] << 24) >>> 24) : 0); - - switch (numSigBytes) { - case 3: - destination[destOffset] = ALPHABET[(inBuff >>> 18)]; - destination[destOffset + 1] = ALPHABET[(inBuff >>> 12) & 0x3f]; - destination[destOffset + 2] = ALPHABET[(inBuff >>> 6) & 0x3f]; - destination[destOffset + 3] = ALPHABET[(inBuff) & 0x3f]; - return destination; - - case 2: - destination[destOffset] = ALPHABET[(inBuff >>> 18)]; - destination[destOffset + 1] = ALPHABET[(inBuff >>> 12) & 0x3f]; - destination[destOffset + 2] = ALPHABET[(inBuff >>> 6) & 0x3f]; - destination[destOffset + 3] = EQUALS_SIGN; - return destination; - - case 1: - destination[destOffset] = ALPHABET[(inBuff >>> 18)]; - destination[destOffset + 1] = ALPHABET[(inBuff >>> 12) & 0x3f]; - destination[destOffset + 2] = EQUALS_SIGN; - destination[destOffset + 3] = EQUALS_SIGN; - return destination; - - default: - return destination; - } // end switch - } // end encode3to4 - - /** - * Performs Base64 encoding on the <code>raw</code> ByteBuffer, writing it - * to the <code>encoded</code> ByteBuffer. This is an experimental feature. - * Currently it does not pass along any options (such as - * {@link #DO_BREAK_LINES} or {@link #GZIP}. - * - * @param raw - * input buffer - * @param encoded - * output buffer - * @since 2.3 - */ - public static void encode(java.nio.ByteBuffer raw, - java.nio.ByteBuffer encoded) { - byte[] raw3 = new byte[3]; - byte[] enc4 = new byte[4]; - - while (raw.hasRemaining()) { - int rem = Math.min(3, raw.remaining()); - raw.get(raw3, 0, rem); - Base64.encode3to4(enc4, raw3, rem, Base64.NO_OPTIONS); - encoded.put(enc4); - } // end input remaining - } - - /** - * Performs Base64 encoding on the <code>raw</code> ByteBuffer, writing it - * to the <code>encoded</code> CharBuffer. This is an experimental feature. - * Currently it does not pass along any options (such as - * {@link #DO_BREAK_LINES} or {@link #GZIP}. - * - * @param raw - * input buffer - * @param encoded - * output buffer - * @since 2.3 - */ - public static void encode(java.nio.ByteBuffer raw, - java.nio.CharBuffer encoded) { - byte[] raw3 = new byte[3]; - byte[] enc4 = new byte[4]; - - while (raw.hasRemaining()) { - int rem = Math.min(3, raw.remaining()); - raw.get(raw3, 0, rem); - Base64.encode3to4(enc4, raw3, rem, Base64.NO_OPTIONS); - for (int i = 0; i < 4; i++) { - encoded.put((char) (enc4[i] & 0xFF)); - } - } // end input remaining - } - - /** - * Serializes an object and returns the Base64-encoded version of that - * serialized object. - * - * <p> - * As of v 2.3, if the object cannot be serialized or there is another - * error, the method will throw an java.io.IOException. <b>This is new to - * v2.3!</b> In earlier versions, it just returned a null value, but in - * retrospect that's a pretty poor way to handle it. - * </p> - * - * The object is not GZip-compressed before being encoded. - * - * @param serializableObject - * The object to encode - * @return The Base64-encoded object - * @throws java.io.IOException - * if there is an error - * @throws NullPointerException - * if serializedObject is null - * @since 1.4 - */ - public static String encodeObject(java.io.Serializable serializableObject) - throws java.io.IOException { - return encodeObject(serializableObject, NO_OPTIONS); - } // end encodeObject - - /** - * Serializes an object and returns the Base64-encoded version of that - * serialized object. - * - * <p> - * As of v 2.3, if the object cannot be serialized or there is another - * error, the method will throw an java.io.IOException. <b>This is new to - * v2.3!</b> In earlier versions, it just returned a null value, but in - * retrospect that's a pretty poor way to handle it. - * </p> - * - * The object is not GZip-compressed before being encoded. - * <p> - * Example options: - * - * <pre> - * GZIP: gzip-compresses object before encoding it. - * DO_BREAK_LINES: break lines at 76 characters - * </pre> - * <p> - * Example: <code>encodeObject( myObj, Base64.GZIP )</code> or - * <p> - * Example: - * <code>encodeObject( myObj, Base64.GZIP | Base64.DO_BREAK_LINES )</code> - * - * @param serializableObject - * The object to encode - * @param options - * Specified options - * @return The Base64-encoded object - * @see Base64#GZIP - * @see Base64#DO_BREAK_LINES - * @throws java.io.IOException - * if there is an error - * @since 2.0 - */ - public static String encodeObject(java.io.Serializable serializableObject, - int options) throws java.io.IOException { - - if (serializableObject == null) { - throw new NullPointerException("Cannot serialize a null object."); - } // end if: null - - // Streams - java.io.ByteArrayOutputStream baos = null; - java.io.OutputStream b64os = null; - java.util.zip.GZIPOutputStream gzos = null; - java.io.ObjectOutputStream oos = null; - - try { - // ObjectOutputStream -> (GZIP) -> Base64 -> ByteArrayOutputStream - baos = new java.io.ByteArrayOutputStream(); - b64os = new Base64.OutputStream(baos, ENCODE | options); - if ((options & GZIP) != 0) { - // Gzip - gzos = new java.util.zip.GZIPOutputStream(b64os); - oos = new java.io.ObjectOutputStream(gzos); - } else { - // Not gzipped - oos = new java.io.ObjectOutputStream(b64os); - } - oos.writeObject(serializableObject); - } // end try - catch (java.io.IOException e) { - // Catch it and then throw it immediately so that - // the finally{} block is called for cleanup. - throw e; - } // end catch - finally { - try { - oos.close(); - } catch (Exception e) { - } - try { - gzos.close(); - } catch (Exception e) { - } - try { - b64os.close(); - } catch (Exception e) { - } - try { - baos.close(); - } catch (Exception e) { - } - } // end finally - - // Return value according to relevant encoding. - try { - return new String(baos.toByteArray(), PREFERRED_ENCODING); - } // end try - catch (java.io.UnsupportedEncodingException uue) { - // Fall back to some Java default - return new String(baos.toByteArray()); - } // end catch - - } // end encode - - /** - * Encodes a byte array into Base64 notation. Does not GZip-compress data. - * - * @param source - * The data to convert - * @return The data in Base64-encoded form - * @throws NullPointerException - * if source array is null - * @since 1.4 - */ - public static String encodeBytes(byte[] source) { - // Since we're not going to have the GZIP encoding turned on, - // we're not going to have an java.io.IOException thrown, so - // we should not force the user to have to catch it. - String encoded = null; - try { - encoded = encodeBytes(source, 0, source.length, NO_OPTIONS); - } catch (java.io.IOException ex) { - assert false : ex.getMessage(); - } // end catch - assert encoded != null; - return encoded; - } // end encodeBytes - - /** - * Encodes a byte array into Base64 notation. - * <p> - * Example options: - * - * <pre> - * GZIP: gzip-compresses object before encoding it. - * DO_BREAK_LINES: break lines at 76 characters - * <i>Note: Technically, this makes your encoding non-compliant.</i> - * </pre> - * <p> - * Example: <code>encodeBytes( myData, Base64.GZIP )</code> or - * <p> - * Example: - * <code>encodeBytes( myData, Base64.GZIP | Base64.DO_BREAK_LINES )</code> - * - * - * <p> - * As of v 2.3, if there is an error with the GZIP stream, the method will - * throw an java.io.IOException. <b>This is new to v2.3!</b> In earlier - * versions, it just returned a null value, but in retrospect that's a - * pretty poor way to handle it. - * </p> - * - * - * @param source - * The data to convert - * @param options - * Specified options - * @return The Base64-encoded data as a String - * @see Base64#GZIP - * @see Base64#DO_BREAK_LINES - * @throws java.io.IOException - * if there is an error - * @throws NullPointerException - * if source array is null - * @since 2.0 - */ - public static String encodeBytes(byte[] source, int options) - throws java.io.IOException { - return encodeBytes(source, 0, source.length, options); - } // end encodeBytes - - /** - * Encodes a byte array into Base64 notation. Does not GZip-compress data. - * - * <p> - * As of v 2.3, if there is an error, the method will throw an - * java.io.IOException. <b>This is new to v2.3!</b> In earlier versions, it - * just returned a null value, but in retrospect that's a pretty poor way to - * handle it. - * </p> - * - * - * @param source - * The data to convert - * @param off - * Offset in array where conversion should begin - * @param len - * Length of data to convert - * @return The Base64-encoded data as a String - * @throws NullPointerException - * if source array is null - * @throws IllegalArgumentException - * if source array, offset, or length are invalid - * @since 1.4 - */ - public static String encodeBytes(byte[] source, int off, int len) { - // Since we're not going to have the GZIP encoding turned on, - // we're not going to have an java.io.IOException thrown, so - // we should not force the user to have to catch it. - String encoded = null; - try { - encoded = encodeBytes(source, off, len, NO_OPTIONS); - } catch (java.io.IOException ex) { - assert false : ex.getMessage(); - } // end catch - assert encoded != null; - return encoded; - } // end encodeBytes - - /** - * Encodes a byte array into Base64 notation. - * <p> - * Example options: - * - * <pre> - * GZIP: gzip-compresses object before encoding it. - * DO_BREAK_LINES: break lines at 76 characters - * <i>Note: Technically, this makes your encoding non-compliant.</i> - * </pre> - * <p> - * Example: <code>encodeBytes( myData, Base64.GZIP )</code> or - * <p> - * Example: - * <code>encodeBytes( myData, Base64.GZIP | Base64.DO_BREAK_LINES )</code> - * - * - * <p> - * As of v 2.3, if there is an error with the GZIP stream, the method will - * throw an java.io.IOException. <b>This is new to v2.3!</b> In earlier - * versions, it just returned a null value, but in retrospect that's a - * pretty poor way to handle it. - * </p> - * - * - * @param source - * The data to convert - * @param off - * Offset in array where conversion should begin - * @param len - * Length of data to convert - * @param options - * Specified options - * @return The Base64-encoded data as a String - * @see Base64#GZIP - * @see Base64#DO_BREAK_LINES - * @throws java.io.IOException - * if there is an error - * @throws NullPointerException - * if source array is null - * @throws IllegalArgumentException - * if source array, offset, or length are invalid - * @since 2.0 - */ - public static String encodeBytes(byte[] source, int off, int len, - int options) throws java.io.IOException { - byte[] encoded = encodeBytesToBytes(source, off, len, options); - - // Return value according to relevant encoding. - try { - return new String(encoded, PREFERRED_ENCODING); - } // end try - catch (java.io.UnsupportedEncodingException uue) { - return new String(encoded); - } // end catch - - } // end encodeBytes - - /** - * Similar to {@link #encodeBytes(byte[])} but returns a byte array instead - * of instantiating a String. This is more efficient if you're working with - * I/O streams and have large data sets to encode. - * - * - * @param source - * The data to convert - * @return The Base64-encoded data as a byte[] (of ASCII characters) - * @throws NullPointerException - * if source array is null - * @since 2.3.1 - */ - public static byte[] encodeBytesToBytes(byte[] source) { - byte[] encoded = null; - try { - encoded = encodeBytesToBytes(source, 0, source.length, - Base64.NO_OPTIONS); - } catch (java.io.IOException ex) { - assert false : "IOExceptions only come from GZipping, which is turned off: " - + ex.getMessage(); - } - return encoded; - } - - /** - * Similar to {@link #encodeBytes(byte[], int, int, int)} but returns a byte - * array instead of instantiating a String. This is more efficient if you're - * working with I/O streams and have large data sets to encode. - * - * - * @param source - * The data to convert - * @param off - * Offset in array where conversion should begin - * @param len - * Length of data to convert - * @param options - * Specified options - * @return The Base64-encoded data as a String - * @see Base64#GZIP - * @see Base64#DO_BREAK_LINES - * @throws java.io.IOException - * if there is an error - * @throws NullPointerException - * if source array is null - * @throws IllegalArgumentException - * if source array, offset, or length are invalid - * @since 2.3.1 - */ - public static byte[] encodeBytesToBytes(byte[] source, int off, int len, - int options) throws java.io.IOException { - - if (source == null) { - throw new NullPointerException("Cannot serialize a null array."); - } // end if: null - - if (off < 0) { - throw new IllegalArgumentException("Cannot have negative offset: " - + off); - } // end if: off < 0 - - if (len < 0) { - throw new IllegalArgumentException("Cannot have length offset: " - + len); - } // end if: len < 0 - - if (off + len > source.length) { - throw new IllegalArgumentException( - String - .format( - "Cannot have offset of %d and length of %d with array of length %d", - off, len, source.length)); - } // end if: off < 0 - - // Compress? - if ((options & GZIP) != 0) { - java.io.ByteArrayOutputStream baos = null; - java.util.zip.GZIPOutputStream gzos = null; - Base64.OutputStream b64os = null; - - try { - // GZip -> Base64 -> ByteArray - baos = new java.io.ByteArrayOutputStream(); - b64os = new Base64.OutputStream(baos, ENCODE | options); - gzos = new java.util.zip.GZIPOutputStream(b64os); - - gzos.write(source, off, len); - gzos.close(); - } // end try - catch (java.io.IOException e) { - // Catch it and then throw it immediately so that - // the finally{} block is called for cleanup. - throw e; - } // end catch - finally { - try { - gzos.close(); - } catch (Exception e) { - } - try { - b64os.close(); - } catch (Exception e) { - } - try { - baos.close(); - } catch (Exception e) { - } - } // end finally - - return baos.toByteArray(); - } // end if: compress - - // Else, don't compress. Better not to use streams at all then. - else { - boolean breakLines = (options & DO_BREAK_LINES) != 0; - - // int len43 = len * 4 / 3; - // byte[] outBuff = new byte[ ( len43 ) // Main 4:3 - // + ( (len % 3) > 0 ? 4 : 0 ) // Account for padding - // + (breakLines ? ( len43 / MAX_LINE_LENGTH ) : 0) ]; // New lines - // Try to determine more precisely how big the array needs to be. - // If we get it right, we don't have to do an array copy, and - // we save a bunch of memory. - int encLen = (len / 3) * 4 + (len % 3 > 0 ? 4 : 0); // Bytes needed - // for actual - // encoding - if (breakLines) { - encLen += encLen / MAX_LINE_LENGTH; // Plus extra newline - // characters - } - byte[] outBuff = new byte[encLen]; - - int d = 0; - int e = 0; - int len2 = len - 2; - int lineLength = 0; - for (; d < len2; d += 3, e += 4) { - encode3to4(source, d + off, 3, outBuff, e, options); - - lineLength += 4; - if (breakLines && lineLength >= MAX_LINE_LENGTH) { - outBuff[e + 4] = NEW_LINE; - e++; - lineLength = 0; - } // end if: end of line - } // en dfor: each piece of array - - if (d < len) { - encode3to4(source, d + off, len - d, outBuff, e, options); - e += 4; - } // end if: some padding needed - - // Only resize array if we didn't guess it right. - if (e <= outBuff.length - 1) { - // If breaking lines and the last byte falls right at - // the line length (76 bytes per line), there will be - // one extra byte, and the array will need to be resized. - // Not too bad of an estimate on array size, I'd say. - byte[] finalOut = new byte[e]; - System.arraycopy(outBuff, 0, finalOut, 0, e); - // System.err.println("Having to resize array from " + - // outBuff.length + " to " + e ); - return finalOut; - } else { - // System.err.println("No need to resize array."); - return outBuff; - } - - } // end else: don't compress - - } // end encodeBytesToBytes - - /* ******** D E C O D I N G M E T H O D S ******** */ - - /** - * Decodes four bytes from array <var>source</var> and writes the resulting - * bytes (up to three of them) to <var>destination</var>. The source and - * destination arrays can be manipulated anywhere along their length by - * specifying <var>srcOffset</var> and <var>destOffset</var>. This method - * does not check to make sure your arrays are large enough to accomodate - * <var>srcOffset</var> + 4 for the <var>source</var> array or - * <var>destOffset</var> + 3 for the <var>destination</var> array. This - * method returns the actual number of bytes that were converted from the - * Base64 encoding. - * <p> - * This is the lowest level of the decoding methods with all possible - * parameters. - * </p> - * - * - * @param source - * the array to convert - * @param srcOffset - * the index where conversion begins - * @param destination - * the array to hold the conversion - * @param destOffset - * the index where output will be put - * @param options - * alphabet type is pulled from this (standard, url-safe, - * ordered) - * @return the number of decoded bytes converted - * @throws NullPointerException - * if source or destination arrays are null - * @throws IllegalArgumentException - * if srcOffset or destOffset are invalid or there is not enough - * room in the array. - * @since 1.3 - */ - private static int decode4to3(byte[] source, int srcOffset, - byte[] destination, int destOffset, int options) { - - // Lots of error checking and exception throwing - if (source == null) { - throw new NullPointerException("Source array was null."); - } // end if - if (destination == null) { - throw new NullPointerException("Destination array was null."); - } // end if - if (srcOffset < 0 || srcOffset + 3 >= source.length) { - throw new IllegalArgumentException( - String - .format( - "Source array with length %d cannot have offset of %d and still process four bytes.", - source.length, srcOffset)); - } // end if - if (destOffset < 0 || destOffset + 2 >= destination.length) { - throw new IllegalArgumentException( - String - .format( - "Destination array with length %d cannot have offset of %d and still store three bytes.", - destination.length, destOffset)); - } // end if - - byte[] DECODABET = getDecodabet(options); - - // Example: Dk== - if (source[srcOffset + 2] == EQUALS_SIGN) { - // Two ways to do the same thing. Don't know which way I like best. - // int outBuff = ( ( DECODABET[ source[ srcOffset ] ] << 24 ) >>> 6 - // ) - // | ( ( DECODABET[ source[ srcOffset + 1] ] << 24 ) >>> 12 ); - int outBuff = ((DECODABET[source[srcOffset]] & 0xFF) << 18) - | ((DECODABET[source[srcOffset + 1]] & 0xFF) << 12); - - destination[destOffset] = (byte) (outBuff >>> 16); - return 1; - } - - // Example: DkL= - else if (source[srcOffset + 3] == EQUALS_SIGN) { - // Two ways to do the same thing. Don't know which way I like best. - // int outBuff = ( ( DECODABET[ source[ srcOffset ] ] << 24 ) >>> 6 - // ) - // | ( ( DECODABET[ source[ srcOffset + 1 ] ] << 24 ) >>> 12 ) - // | ( ( DECODABET[ source[ srcOffset + 2 ] ] << 24 ) >>> 18 ); - int outBuff = ((DECODABET[source[srcOffset]] & 0xFF) << 18) - | ((DECODABET[source[srcOffset + 1]] & 0xFF) << 12) - | ((DECODABET[source[srcOffset + 2]] & 0xFF) << 6); - - destination[destOffset] = (byte) (outBuff >>> 16); - destination[destOffset + 1] = (byte) (outBuff >>> 8); - return 2; - } - - // Example: DkLE - else { - // Two ways to do the same thing. Don't know which way I like best. - // int outBuff = ( ( DECODABET[ source[ srcOffset ] ] << 24 ) >>> 6 - // ) - // | ( ( DECODABET[ source[ srcOffset + 1 ] ] << 24 ) >>> 12 ) - // | ( ( DECODABET[ source[ srcOffset + 2 ] ] << 24 ) >>> 18 ) - // | ( ( DECODABET[ source[ srcOffset + 3 ] ] << 24 ) >>> 24 ); - int outBuff = ((DECODABET[source[srcOffset]] & 0xFF) << 18) - | ((DECODABET[source[srcOffset + 1]] & 0xFF) << 12) - | ((DECODABET[source[srcOffset + 2]] & 0xFF) << 6) - | ((DECODABET[source[srcOffset + 3]] & 0xFF)); - - destination[destOffset] = (byte) (outBuff >> 16); - destination[destOffset + 1] = (byte) (outBuff >> 8); - destination[destOffset + 2] = (byte) (outBuff); - - return 3; - } - } // end decodeToBytes - - /** - * Low-level access to decoding ASCII characters in the form of a byte - * array. <strong>Ignores GUNZIP option, if it's set.</strong> This is not - * generally a recommended method, although it is used internally as part of - * the decoding process. Special case: if len = 0, an empty array is - * returned. Still, if you need more speed and reduced memory footprint (and - * aren't gzipping), consider this method. - * - * @param source - * The Base64 encoded data - * @return decoded data - * @since 2.3.1 - */ - public static byte[] decode(byte[] source) throws java.io.IOException { - byte[] decoded = null; - // try { - decoded = decode(source, 0, source.length, Base64.NO_OPTIONS); - // } catch( java.io.IOException ex ) { - // assert false : - // "IOExceptions only come from GZipping, which is turned off: " + - // ex.getMessage(); - // } - return decoded; - } - - /** - * Low-level access to decoding ASCII characters in the form of a byte - * array. <strong>Ignores GUNZIP option, if it's set.</strong> This is not - * generally a recommended method, although it is used internally as part of - * the decoding process. Special case: if len = 0, an empty array is - * returned. Still, if you need more speed and reduced memory footprint (and - * aren't gzipping), consider this method. - * - * @param source - * The Base64 encoded data - * @param off - * The offset of where to begin decoding - * @param len - * The length of characters to decode - * @param options - * Can specify options such as alphabet type to use - * @return decoded data - * @throws java.io.IOException - * If bogus characters exist in source data - * @since 1.3 - */ - public static byte[] decode(byte[] source, int off, int len, int options) - throws java.io.IOException { - - // Lots of error checking and exception throwing - if (source == null) { - throw new NullPointerException("Cannot decode null source array."); - } // end if - if (off < 0 || off + len > source.length) { - throw new IllegalArgumentException( - String - .format( - "Source array with length %d cannot have offset of %d and process %d bytes.", - source.length, off, len)); - } // end if - - if (len == 0) { - return new byte[0]; - } else if (len < 4) { - throw new IllegalArgumentException( - "Base64-encoded string must have at least four characters, but length specified was " - + len); - } // end if - - byte[] DECODABET = getDecodabet(options); - - int len34 = len * 3 / 4; // Estimate on array size - byte[] outBuff = new byte[len34]; // Upper limit on size of output - int outBuffPosn = 0; // Keep track of where we're writing - - byte[] b4 = new byte[4]; // Four byte buffer from source, eliminating - // white space - int b4Posn = 0; // Keep track of four byte input buffer - int i = 0; // Source array counter - byte sbiDecode = 0; // Special value from DECODABET - - for (i = off; i < off + len; i++) { // Loop through source - - sbiDecode = DECODABET[source[i] & 0xFF]; - - // White space, Equals sign, or legit Base64 character - // Note the values such as -5 and -9 in the - // DECODABETs at the top of the file. - if (sbiDecode >= WHITE_SPACE_ENC) { - if (sbiDecode >= EQUALS_SIGN_ENC) { - b4[b4Posn++] = source[i]; // Save non-whitespace - if (b4Posn > 3) { // Time to decode? - outBuffPosn += decode4to3(b4, 0, outBuff, outBuffPosn, - options); - b4Posn = 0; - - // If that was the equals sign, break out of 'for' loop - if (source[i] == EQUALS_SIGN) { - break; - } // end if: equals sign - } // end if: quartet built - } // end if: equals sign or better - } // end if: white space, equals sign or better - else { - // There's a bad input character in the Base64 stream. - throw new java.io.IOException( - String - .format( - "Bad Base64 input character decimal %d in array position %d", - ((int) source[i]) & 0xFF, i)); - } // end else: - } // each input character - - byte[] out = new byte[outBuffPosn]; - System.arraycopy(outBuff, 0, out, 0, outBuffPosn); - return out; - } // end decode - - /** - * Decodes data from Base64 notation, automatically detecting - * gzip-compressed data and decompressing it. - * - * @param s - * the string to decode - * @return the decoded data - * @throws java.io.IOException - * If there is a problem - * @since 1.4 - */ - public static byte[] decode(String s) throws java.io.IOException { - return decode(s, NO_OPTIONS); - } - - /** - * Decodes data from Base64 notation, automatically detecting - * gzip-compressed data and decompressing it. - * - * @param s - * the string to decode - * @param options - * encode options such as URL_SAFE - * @return the decoded data - * @throws java.io.IOException - * if there is an error - * @throws NullPointerException - * if <tt>s</tt> is null - * @since 1.4 - */ - public static byte[] decode(String s, int options) - throws java.io.IOException { - - if (s == null) { - throw new NullPointerException("Input string was null."); - } // end if - - byte[] bytes; - try { - bytes = s.getBytes(PREFERRED_ENCODING); - } // end try - catch (java.io.UnsupportedEncodingException uee) { - bytes = s.getBytes(); - } // end catch - // </change> - - // Decode - bytes = decode(bytes, 0, bytes.length, options); - - // Check to see if it's gzip-compressed - // GZIP Magic Two-Byte Number: 0x8b1f (35615) - boolean dontGunzip = (options & DONT_GUNZIP) != 0; - if ((bytes != null) && (bytes.length >= 4) && (!dontGunzip)) { - - int head = ((int) bytes[0] & 0xff) | ((bytes[1] << 8) & 0xff00); - if (java.util.zip.GZIPInputStream.GZIP_MAGIC == head) { - java.io.ByteArrayInputStream bais = null; - java.util.zip.GZIPInputStream gzis = null; - java.io.ByteArrayOutputStream baos = null; - byte[] buffer = new byte[2048]; - int length = 0; - - try { - baos = new java.io.ByteArrayOutputStream(); - bais = new java.io.ByteArrayInputStream(bytes); - gzis = new java.util.zip.GZIPInputStream(bais); - - while ((length = gzis.read(buffer)) >= 0) { - baos.write(buffer, 0, length); - } // end while: reading input - - // No error? Get new bytes. - bytes = baos.toByteArray(); - - } // end try - catch (java.io.IOException e) { - e.printStackTrace(); - // Just return originally-decoded bytes - } // end catch - finally { - try { - baos.close(); - } catch (Exception e) { - } - try { - gzis.close(); - } catch (Exception e) { - } - try { - bais.close(); - } catch (Exception e) { - } - } // end finally - - } // end if: gzipped - } // end if: bytes.length >= 2 - - return bytes; - } // end decode - - /* ******** I N N E R C L A S S O U T P U T S T R E A M ******** */ - - /** - * A {@link Base64.OutputStream} will write data to another - * <tt>java.io.OutputStream</tt>, given in the constructor, and - * encode/decode to/from Base64 notation on the fly. - * - * @see Base64 - * @since 1.3 - */ - public static class OutputStream extends java.io.FilterOutputStream { - - private boolean encode; - private int position; - private byte[] buffer; - private int bufferLength; - private int lineLength; - private boolean breakLines; - private byte[] b4; // Scratch used in a few places - private boolean suspendEncoding; - private int options; // Record for later - private byte[] decodabet; // Local copies to avoid extra method calls - - /** - * Constructs a {@link Base64.OutputStream} in ENCODE mode. - * - * @param out - * the <tt>java.io.OutputStream</tt> to which data will be - * written. - * @since 1.3 - */ - public OutputStream(java.io.OutputStream out) { - this(out, ENCODE); - } // end constructor - - /** - * Constructs a {@link Base64.OutputStream} in either ENCODE or DECODE - * mode. - * <p> - * Valid options: - * - * <pre> - * ENCODE or DECODE: Encode or Decode as data is read. - * DO_BREAK_LINES: don't break lines at 76 characters - * (only meaningful when encoding)</i> - * </pre> - * <p> - * Example: <code>new Base64.OutputStream( out, Base64.ENCODE )</code> - * - * @param out - * the <tt>java.io.OutputStream</tt> to which data will be - * written. - * @param options - * Specified options. - * @see Base64#ENCODE - * @see Base64#DECODE - * @see Base64#DO_BREAK_LINES - * @since 1.3 - */ - public OutputStream(java.io.OutputStream out, int options) { - super(out); - this.breakLines = (options & DO_BREAK_LINES) != 0; - this.encode = (options & ENCODE) != 0; - this.bufferLength = encode ? 3 : 4; - this.buffer = new byte[bufferLength]; - this.position = 0; - this.lineLength = 0; - this.suspendEncoding = false; - this.b4 = new byte[4]; - this.options = options; - this.decodabet = getDecodabet(options); - } // end constructor - - /** - * Writes the byte to the output stream after converting to/from Base64 - * notation. When encoding, bytes are buffered three at a time before - * the output stream actually gets a write() call. When decoding, bytes - * are buffered four at a time. - * - * @param theByte - * the byte to write - * @since 1.3 - */ - @Override - public void write(int theByte) throws java.io.IOException { - // Encoding suspended? - if (suspendEncoding) { - this.out.write(theByte); - return; - } // end if: supsended - - // Encode? - if (encode) { - buffer[position++] = (byte) theByte; - if (position >= bufferLength) { // Enough to encode. - - this.out - .write(encode3to4(b4, buffer, bufferLength, options)); - - lineLength += 4; - if (breakLines && lineLength >= MAX_LINE_LENGTH) { - this.out.write(NEW_LINE); - lineLength = 0; - } // end if: end of line - - position = 0; - } // end if: enough to output - } // end if: encoding - - // Else, Decoding - else { - // Meaningful Base64 character? - if (decodabet[theByte & 0x7f] > WHITE_SPACE_ENC) { - buffer[position++] = (byte) theByte; - if (position >= bufferLength) { // Enough to output. - - int len = Base64.decode4to3(buffer, 0, b4, 0, options); - out.write(b4, 0, len); - position = 0; - } // end if: enough to output - } // end if: meaningful base64 character - else if (decodabet[theByte & 0x7f] != WHITE_SPACE_ENC) { - throw new java.io.IOException( - "Invalid character in Base64 data."); - } // end else: not white space either - } // end else: decoding - } // end write - - /** - * Calls {@link #write(int)} repeatedly until <var>len</var> bytes are - * written. - * - * @param theBytes - * array from which to read bytes - * @param off - * offset for array - * @param len - * max number of bytes to read into array - * @since 1.3 - */ - @Override - public void write(byte[] theBytes, int off, int len) - throws java.io.IOException { - // Encoding suspended? - if (suspendEncoding) { - this.out.write(theBytes, off, len); - return; - } // end if: supsended - - for (int i = 0; i < len; i++) { - write(theBytes[off + i]); - } // end for: each byte written - - } // end write - - /** - * Method added by PHIL. [Thanks, PHIL. -Rob] This pads the buffer - * without closing the stream. - * - * @throws java.io.IOException - * if there's an error. - */ - public void flushBase64() throws java.io.IOException { - if (position > 0) { - if (encode) { - out.write(encode3to4(b4, buffer, position, options)); - position = 0; - } // end if: encoding - else { - throw new java.io.IOException( - "Base64 input not properly padded."); - } // end else: decoding - } // end if: buffer partially full - - } // end flush - - /** - * Flushes and closes (I think, in the superclass) the stream. - * - * @since 1.3 - */ - @Override - public void close() throws java.io.IOException { - // 1. Ensure that pending characters are written - flushBase64(); - - // 2. Actually close the stream - // Base class both flushes and closes. - super.close(); - - buffer = null; - out = null; - } // end close - - /** - * Suspends encoding of the stream. May be helpful if you need to embed - * a piece of base64-encoded data in a stream. - * - * @throws java.io.IOException - * if there's an error flushing - * @since 1.5.1 - */ - public void suspendEncoding() throws java.io.IOException { - flushBase64(); - this.suspendEncoding = true; - } // end suspendEncoding - - /** - * Resumes encoding of the stream. May be helpful if you need to embed a - * piece of base64-encoded data in a stream. - * - * @since 1.5.1 - */ - public void resumeEncoding() { - this.suspendEncoding = false; - } // end resumeEncoding - - } // end inner class OutputStream - -} // end class Base64 \ No newline at end of file http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/9056bb0f/extensions/guacamole-auth-duo/src/main/java/com/duosecurity/duoweb/DuoWeb.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-duo/src/main/java/com/duosecurity/duoweb/DuoWeb.java b/extensions/guacamole-auth-duo/src/main/java/com/duosecurity/duoweb/DuoWeb.java deleted file mode 100644 index 223a110..0000000 --- a/extensions/guacamole-auth-duo/src/main/java/com/duosecurity/duoweb/DuoWeb.java +++ /dev/null @@ -1,138 +0,0 @@ -package com.duosecurity.duoweb; - -import java.io.IOException; -import java.security.InvalidKeyException; -import java.security.NoSuchAlgorithmException; - -public final class DuoWeb { - private static final String DUO_PREFIX = "TX"; - private static final String APP_PREFIX = "APP"; - private static final String AUTH_PREFIX = "AUTH"; - - private static final int DUO_EXPIRE = 300; - private static final int APP_EXPIRE = 3600; - - private static final int IKEY_LEN = 20; - private static final int SKEY_LEN = 40; - private static final int AKEY_LEN = 40; - - public static final String ERR_USER = "ERR|The username passed to sign_request() is invalid."; - public static final String ERR_IKEY = "ERR|The Duo integration key passed to sign_request() is invalid."; - public static final String ERR_SKEY = "ERR|The Duo secret key passed to sign_request() is invalid."; - public static final String ERR_AKEY = "ERR|The application secret key passed to sign_request() must be at least " + AKEY_LEN + " characters."; - public static final String ERR_UNKNOWN = "ERR|An unknown error has occurred."; - - public static String signRequest(final String ikey, final String skey, final String akey, final String username) { - return signRequest(ikey, skey, akey, username, System.currentTimeMillis() / 1000); - } - - public static String signRequest(final String ikey, final String skey, final String akey, final String username, final long time) { - final String duo_sig; - final String app_sig; - - if (username.equals("")) { - return ERR_USER; - } - if (username.indexOf('|') != -1) { - return ERR_USER; - } - if (ikey.equals("") || ikey.length() != IKEY_LEN) { - return ERR_IKEY; - } - if (skey.equals("") || skey.length() != SKEY_LEN) { - return ERR_SKEY; - } - if (akey.equals("") || akey.length() < AKEY_LEN) { - return ERR_AKEY; - } - - try { - duo_sig = signVals(skey, username, ikey, DUO_PREFIX, DUO_EXPIRE, time); - app_sig = signVals(akey, username, ikey, APP_PREFIX, APP_EXPIRE, time); - } catch (Exception e) { - return ERR_UNKNOWN; - } - - return duo_sig + ":" + app_sig; - } - - public static String verifyResponse(final String ikey, final String skey, final String akey, final String sig_response) - throws DuoWebException, NoSuchAlgorithmException, InvalidKeyException, IOException { - return verifyResponse(ikey, skey, akey, sig_response, System.currentTimeMillis() / 1000); - } - - public static String verifyResponse(final String ikey, final String skey, final String akey, final String sig_response, final long time) - throws DuoWebException, NoSuchAlgorithmException, InvalidKeyException, IOException { - String auth_user = null; - String app_user = null; - - final String[] sigs = sig_response.split(":"); - final String auth_sig = sigs[0]; - final String app_sig = sigs[1]; - - auth_user = parseVals(skey, auth_sig, AUTH_PREFIX, ikey, time); - app_user = parseVals(akey, app_sig, APP_PREFIX, ikey, time); - - if (!auth_user.equals(app_user)) { - throw new DuoWebException("Authentication failed."); - } - - return auth_user; - } - - private static String signVals(final String key, final String username, final String ikey, final String prefix, final int expire, final long time) - throws InvalidKeyException, NoSuchAlgorithmException { - final long expire_ts = time + expire; - final String exp = Long.toString(expire_ts); - - final String val = username + "|" + ikey + "|" + exp; - final String cookie = prefix + "|" + Base64.encodeBytes(val.getBytes()); - final String sig = Util.hmacSign(key, cookie); - - return cookie + "|" + sig; - } - - private static String parseVals(final String key, final String val, final String prefix, final String ikey, final long time) - throws InvalidKeyException, NoSuchAlgorithmException, IOException, DuoWebException { - - final String[] parts = val.split("\\|"); - if (parts.length != 3) { - throw new DuoWebException("Invalid response"); - } - - final String u_prefix = parts[0]; - final String u_b64 = parts[1]; - final String u_sig = parts[2]; - - final String sig = Util.hmacSign(key, u_prefix + "|" + u_b64); - if (!Util.hmacSign(key, sig).equals(Util.hmacSign(key, u_sig))) { - throw new DuoWebException("Invalid response"); - } - - if (!u_prefix.equals(prefix)) { - throw new DuoWebException("Invalid response"); - } - - final byte[] decoded = Base64.decode(u_b64); - final String cookie = new String(decoded); - - final String[] cookie_parts = cookie.split("\\|"); - if (cookie_parts.length != 3) { - throw new DuoWebException("Invalid response"); - } - final String username = cookie_parts[0]; - final String u_ikey = cookie_parts[1]; - final String expire = cookie_parts[2]; - - if (!u_ikey.equals(ikey)) { - throw new DuoWebException("Invalid response"); - } - - final long expire_ts = Long.parseLong(expire); - if (time >= expire_ts) { - throw new DuoWebException("Transaction has expired. Please check that the system time is correct."); - } - - return username; - } -} http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/9056bb0f/extensions/guacamole-auth-duo/src/main/java/com/duosecurity/duoweb/DuoWebException.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-duo/src/main/java/com/duosecurity/duoweb/DuoWebException.java b/extensions/guacamole-auth-duo/src/main/java/com/duosecurity/duoweb/DuoWebException.java deleted file mode 100644 index f721df7..0000000 --- a/extensions/guacamole-auth-duo/src/main/java/com/duosecurity/duoweb/DuoWebException.java +++ /dev/null @@ -1,8 +0,0 @@ -package com.duosecurity.duoweb; - -public class DuoWebException extends Exception { - - public DuoWebException(String message) { - super(message); - } -} http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/9056bb0f/extensions/guacamole-auth-duo/src/main/java/com/duosecurity/duoweb/Util.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-duo/src/main/java/com/duosecurity/duoweb/Util.java b/extensions/guacamole-auth-duo/src/main/java/com/duosecurity/duoweb/Util.java deleted file mode 100644 index 55d7712..0000000 --- a/extensions/guacamole-auth-duo/src/main/java/com/duosecurity/duoweb/Util.java +++ /dev/null @@ -1,26 +0,0 @@ -package com.duosecurity.duoweb; - -import java.security.InvalidKeyException; -import java.security.NoSuchAlgorithmException; - -import javax.crypto.Mac; -import javax.crypto.spec.SecretKeySpec; - -public class Util { - public static String hmacSign(String skey, String data) - throws NoSuchAlgorithmException, InvalidKeyException { - SecretKeySpec key = new SecretKeySpec(skey.getBytes(), "HmacSHA1"); - Mac mac = Mac.getInstance("HmacSHA1"); - mac.init(key); - byte[] raw = mac.doFinal(data.getBytes()); - return bytesToHex(raw); - } - - public static String bytesToHex(byte[] b) { - String result = ""; - for (int i = 0; i < b.length; i++) { - result += Integer.toString((b[i] & 0xff) + 0x100, 16).substring(1); - } - return result; - } -} http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/9056bb0f/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/DuoAuthenticationProviderModule.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/DuoAuthenticationProviderModule.java b/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/DuoAuthenticationProviderModule.java index 2dfc4eb..705e37d 100644 --- a/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/DuoAuthenticationProviderModule.java +++ b/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/DuoAuthenticationProviderModule.java @@ -21,6 +21,7 @@ package org.apache.guacamole.auth.duo; import com.google.inject.AbstractModule; import org.apache.guacamole.GuacamoleException; +import org.apache.guacamole.auth.duo.api.DuoService; import org.apache.guacamole.auth.duo.conf.ConfigurationService; import org.apache.guacamole.environment.Environment; import org.apache.guacamole.environment.LocalEnvironment; @@ -73,7 +74,7 @@ public class DuoAuthenticationProviderModule extends AbstractModule { // Bind Duo-specific services bind(ConfigurationService.class); - bind(DuoWebService.class); + bind(DuoService.class); bind(UserVerificationService.class); } http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/9056bb0f/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/DuoWebService.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/DuoWebService.java b/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/DuoWebService.java deleted file mode 100644 index 3cdfdde..0000000 --- a/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/DuoWebService.java +++ /dev/null @@ -1,212 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.guacamole.auth.duo; - -import com.duosecurity.duoweb.DuoWeb; -import com.duosecurity.duoweb.DuoWebException; -import com.google.inject.Inject; -import java.io.IOException; -import java.security.InvalidKeyException; -import java.security.NoSuchAlgorithmException; -import java.util.regex.Matcher; -import java.util.regex.Pattern; -import org.apache.guacamole.GuacamoleClientException; -import org.apache.guacamole.GuacamoleException; -import org.apache.guacamole.GuacamoleServerException; -import org.apache.guacamole.auth.duo.conf.ConfigurationService; -import org.apache.guacamole.net.auth.AuthenticatedUser; - -/** - * Service which wraps the DuoWeb Java API, providing predictable behavior and - * error handling. - */ -public class DuoWebService { - - /** - * A regular expression which matches a valid signature part of a Duo - * signed response. A signature part may not contain pipe symbols (which - * act as delimiters between parts) nor colons (which act as delimiters - * between signatures). - */ - private final String SIGNATURE_PART = "[^:|]*"; - - /** - * A regular expression which matches a valid signature within a Duo - * signed response. Each signature is made up of three distinct parts, - * separated by pipe symbols. - */ - private final String SIGNATURE = SIGNATURE_PART + "\\|" + SIGNATURE_PART + "\\|" + SIGNATURE_PART; - - /** - * A regular expression which matches a valid Duo signed response. Each - * response is made up of two signatures, separated by a colon. - */ - private final String RESPONSE = SIGNATURE + ":" + SIGNATURE; - - /** - * A Pattern which matches valid Duo signed responses. Strings which will - * be passed to DuoWeb.verifyResponse() MUST be matched against this - * Pattern. Strings which do not match this Pattern may cause - * DuoWeb.verifyResponse() to throw unchecked exceptions. - */ - private final Pattern RESPONSE_PATTERN = Pattern.compile(RESPONSE); - - /** - * Service for retrieving Duo configuration information. - */ - @Inject - private ConfigurationService confService; - - /** - * Creates and signs a new request to verify the identity of the given - * user. This request may ultimately be sent to Duo, resulting in a signed - * response from Duo if that verification succeeds. - * - * @param authenticatedUser - * The user whose identity should be verified. - * - * @return - * A signed user verification request which can be sent to Duo. - * - * @throws GuacamoleException - * If required Duo-specific configuration options are missing or - * invalid, or if an error occurs within the DuoWeb API which prevents - * generation of the signed request. - */ - public String createSignedRequest(AuthenticatedUser authenticatedUser) - throws GuacamoleException { - - // Retrieve username from externally-authenticated user - String username = authenticatedUser.getIdentifier(); - - // Retrieve Duo-specific keys from configuration - String ikey = confService.getIntegrationKey(); - String skey = confService.getSecretKey(); - String akey = confService.getApplicationKey(); - - // Create signed request for the provided user - String signedRequest = DuoWeb.signRequest(ikey, skey, akey, username); - - if (DuoWeb.ERR_AKEY.equals(signedRequest)) - throw new GuacamoleServerException("The Duo application key " - + "must is not valid. Duo application keys must be at " - + "least 40 characters long."); - - if (DuoWeb.ERR_IKEY.equals(signedRequest)) - throw new GuacamoleServerException("The provided Duo integration " - + "key is not valid. Integration keys must be exactly 20 " - + "characters long."); - - if (DuoWeb.ERR_SKEY.equals(signedRequest)) - throw new GuacamoleServerException("The provided Duo secret key " - + "is not valid. Secret keys must be exactly 40 " - + "characters long."); - - if (DuoWeb.ERR_USER.equals(signedRequest)) - throw new GuacamoleServerException("The provided username is " - + "not valid. Duo usernames may not be blank, nor may " - + "they contain pipe symbols (\"|\")."); - - if (DuoWeb.ERR_UNKNOWN.equals(signedRequest)) - throw new GuacamoleServerException("An unknown error within the " - + "DuoWeb API prevented the signed request from being " - + "generated."); - - // Return signed request if no error is indicated - return signedRequest; - - } - - /** - * Returns whether the given signed response is a valid response from Duo - * which verifies the identity of the given user. If the given response is - * invalid or does not verify the identity of the given user (including if - * it is a valid response which verifies the identity of a DIFFERENT user), - * false is returned. - * - * @param authenticatedUser - * The user that the given signed response should verify. - * - * @param signedResponse - * The signed response received from Duo in response to a signed - * request. - * - * @return - * true if the signed response is a valid response from Duo AND verifies - * the identity of the given user, false otherwise. - * - * @throws GuacamoleException - * If required Duo-specific configuration options are missing or - * invalid, or if an error occurs within the DuoWeb API which prevents - * validation of the signed response. - */ - public boolean isValidSignedResponse(AuthenticatedUser authenticatedUser, - String signedResponse) throws GuacamoleException { - - // Verify signature response format will not cause - // DuoWeb.verifyResponse() to fail with unchecked exceptions - Matcher responseMatcher = RESPONSE_PATTERN.matcher(signedResponse); - if (!responseMatcher.matches()) - throw new GuacamoleClientException("Invalid Duo response format."); - - // Retrieve username from externally-authenticated user - String username = authenticatedUser.getIdentifier(); - - // Retrieve Duo-specific keys from configuration - String ikey = confService.getIntegrationKey(); - String skey = confService.getSecretKey(); - String akey = confService.getApplicationKey(); - - // Verify validity of signed response - String verifiedUsername; - try { - verifiedUsername = DuoWeb.verifyResponse(ikey, skey, akey, - signedResponse); - } - - // Rethrow any errors as appropriate GuacamoleExceptions - catch (IOException e) { - throw new GuacamoleClientException("Decoding of Duo response " - + "failed: Invalid base64 content.", e); - } - catch (NumberFormatException e) { - throw new GuacamoleClientException("Decoding of Duo response " - + "failed: Invalid expiry timestamp.", e); - } - catch (InvalidKeyException e) { - throw new GuacamoleServerException("Unable to produce HMAC " - + "signature: " + e.getMessage(), e); - } - catch (NoSuchAlgorithmException e) { - throw new GuacamoleServerException("Environment is missing " - + "support for producing HMAC-SHA1 signatures.", e); - } - catch (DuoWebException e) { - throw new GuacamoleClientException("Duo response verification " - + "failed: " + e.getMessage(), e); - } - - // Signed response is valid iff the associated username matches the - // user's username - return username.equals(verifiedUsername); - - } - -} http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/9056bb0f/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/UserVerificationService.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/UserVerificationService.java b/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/UserVerificationService.java index 3209be2..777c96b 100644 --- a/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/UserVerificationService.java +++ b/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/UserVerificationService.java @@ -24,6 +24,7 @@ import java.util.Collections; import javax.servlet.http.HttpServletRequest; import org.apache.guacamole.GuacamoleClientException; import org.apache.guacamole.GuacamoleException; +import org.apache.guacamole.auth.duo.api.DuoService; import org.apache.guacamole.auth.duo.conf.ConfigurationService; import org.apache.guacamole.auth.duo.form.DuoSignedResponseField; import org.apache.guacamole.form.Field; @@ -44,10 +45,10 @@ public class UserVerificationService { private ConfigurationService confService; /** - * Service for verifying users with the DuoWeb API. + * Service for verifying users against Duo. */ @Inject - private DuoWebService duoWebService; + private DuoService duoService; /** * Verifies the identity of the given user via the Duo multi-factor @@ -86,7 +87,7 @@ public class UserVerificationService { // Duo API endpoint Field signedResponseField = new DuoSignedResponseField( confService.getAPIHostname(), - duoWebService.createSignedRequest(authenticatedUser)); + duoService.createSignedRequest(authenticatedUser)); // Create an overall description of the additional credentials // required to verify identity @@ -100,7 +101,7 @@ public class UserVerificationService { } // If signed response does not verify this user's identity, abort auth - if (!duoWebService.isValidSignedResponse(authenticatedUser, signedResponse)) + if (!duoService.isValidSignedResponse(authenticatedUser, signedResponse)) throw new GuacamoleClientException("LOGIN.INFO_DUO_VALIDATION_CODE_INCORRECT"); } http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/9056bb0f/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/api/DuoCookie.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/api/DuoCookie.java b/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/api/DuoCookie.java new file mode 100644 index 0000000..1de9a67 --- /dev/null +++ b/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/api/DuoCookie.java @@ -0,0 +1,245 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.guacamole.auth.duo.api; + +import java.io.UnsupportedEncodingException; +import java.util.regex.Matcher; +import java.util.regex.Pattern; +import javax.xml.bind.DatatypeConverter; +import org.apache.guacamole.GuacamoleClientException; +import org.apache.guacamole.GuacamoleException; + +/** + * Data which describes the identity of the user being verified by Duo. + */ +public class DuoCookie { + + /** + * Pattern which matches valid cookies. Each cookie is made up of three + * sections, separated from each other by pipe symbols ("|"). + */ + private static final Pattern COOKIE_FORMAT = Pattern.compile("([^|]+)\\|([^|]+)\\|([0-9]+)"); + + /** + * The index of the capturing group within COOKIE_FORMAT which contains the + * username. + */ + private static final int USERNAME_GROUP = 1; + + /** + * The index of the capturing group within COOKIE_FORMAT which contains the + * integration key. + */ + private static final int INTEGRATION_KEY_GROUP = 2; + + /** + * The index of the capturing group within COOKIE_FORMAT which contains the + * expiration timestamp. + */ + private static final int EXPIRATION_TIMESTAMP_GROUP = 3; + + /** + * The username of the user being verified. + */ + private final String username; + + /** + * The integration key provided by Duo and specific to this deployment of + * Guacamole. + */ + private final String integrationKey; + + /** + * The time that this cookie expires, in seconds since midnight of + * 1970-01-01 (UTC). + */ + private final long expires; + + /** + * Creates a new DuoCookie which describes the identity of a user being + * verified. + * + * @param username + * The username of the user being verified. + * + * @param integrationKey + * The integration key provided by Duo and specific to this deployment + * of Guacamole. + * + * @param expires + * The time that this cookie expires, in seconds since midnight of + * 1970-01-01 (UTC). + */ + public DuoCookie(String username, String integrationKey, long expires) { + this.username = username; + this.integrationKey = integrationKey; + this.expires = expires; + } + + /** + * Returns the username of the user being verified. + * + * @return + * The username of the user being verified. + */ + public String getUsername() { + return username; + } + + /** + * Returns the integration key provided by Duo and specific to this + * deployment of Guacamole. + * + * @return + * The integration key provided by Duo and specific to this deployment + * of Guacamole. + */ + public String getIntegrationKey() { + return integrationKey; + } + + /** + * Returns the time that this cookie expires. The expiration time is + * represented in seconds since midnight of 1970-01-01 (UTC). + * + * @return + * The time that this cookie expires, in seconds since midnight of + * 1970-01-01 (UTC). + */ + public long getExpirationTimestamp(){ + return expires; + } + + /** + * Returns the current time as the number of seconds elapsed since + * midnight of 1970-01-01 (UTC). + * + * @return + * The current time as the number of seconds elapsed since midnight of + * 1970-01-01 (UTC). + */ + public static long currentTimestamp() { + return System.currentTimeMillis() / 1000; + } + + /** + * Returns whether this cookie has expired (the current time has met or + * exceeded the expiration timestamp). + * + * @return + * true if this cookie has expired, false otherwise. + */ + public boolean isExpired() { + return currentTimestamp() >= expires; + } + + /** + * Parses a base64-encoded Duo cookie, producing a new DuoCookie object + * containing the data therein. If the given string is not a valid Duo + * cookie, an exception is thrown. Note that the cookie may be expired, and + * must be checked for expiration prior to actual use. + * + * @param str + * The base64-encoded Duo cookie to parse. + * + * @return + * A new DuoCookie object containing the same data as the given + * base64-encoded Duo cookie string. + * + * @throws GuacamoleException + * If the given string is not a valid base64-encoded Duo cookie. + */ + public static DuoCookie parseDuoCookie(String str) throws GuacamoleException { + + // Attempt to decode data as base64 + String data; + try { + data = new String(DatatypeConverter.parseBase64Binary(str), "UTF-8"); + } + + // Bail if invalid base64 is provided + catch (IllegalArgumentException e) { + throw new GuacamoleClientException("Username is not correctly " + + "encoded as base64.", e); + } + + // Throw hard errors if standard pieces of Java are missing + catch (UnsupportedEncodingException e) { + throw new UnsupportedOperationException("Unexpected lack of " + + "UTF-8 support.", e); + } + + // Verify format of provided data + Matcher matcher = COOKIE_FORMAT.matcher(data); + if (!matcher.matches()) + throw new GuacamoleClientException("Format of base64-encoded " + + "username is invalid."); + + // Get username and key (simple strings) + String username = matcher.group(USERNAME_GROUP); + String key = matcher.group(INTEGRATION_KEY_GROUP); + + // Parse expiration time + long expires; + try { + expires = Long.parseLong(matcher.group(EXPIRATION_TIMESTAMP_GROUP)); + } + + // Bail if expiration timestamp is not a valid long + catch (NumberFormatException e) { + throw new GuacamoleClientException("Expiration timestamp is " + + "not valid.", e); + } + + // Return parsed cookie + return new DuoCookie(username, key, expires); + + } + + /** + * Returns the base64-encoded string representation of this DuoCookie. The + * format used is identical to that required by the Duo service: the + * username, integration key, and expiration timestamp separated by pipe + * symbols ("|") and encoded with base64. + * + * @return + * The base64-encoded string representation of this DuoCookie. + */ + @Override + public String toString() { + + try { + + // Separate each cookie field with pipe symbols + String data = username + "|" + integrationKey + "|" + expires; + + // Encode resulting cookie string with base64 + return DatatypeConverter.printBase64Binary(data.getBytes("UTF-8")); + + } + + // Throw hard errors if standard pieces of Java are missing + catch (UnsupportedEncodingException e) { + throw new UnsupportedOperationException("Unexpected lack of UTF-8 support.", e); + } + + } + +}
