GUACAMOLE-362: Add support for CAS ClearPass, parsing and decrypting the password and assigning it a token.
Project: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/commit/1c4831dd Tree: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/tree/1c4831dd Diff: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/diff/1c4831dd Branch: refs/heads/master Commit: 1c4831dd5191a9043edff7b771fef919a56281db Parents: d955fbe Author: Nick Couchman <vn...@apache.org> Authored: Wed Aug 16 11:58:26 2017 -0400 Committer: Nick Couchman <nick.couch...@yahoo.com> Committed: Fri Oct 27 13:05:12 2017 -0400 ---------------------------------------------------------------------- .../auth/cas/AuthenticationProviderService.java | 103 ++++++++++++++++++- .../auth/cas/conf/CASGuacamoleProperties.java | 13 +++ .../auth/cas/conf/ConfigurationService.java | 17 +++ .../cas/ticket/TicketValidationService.java | 9 +- 4 files changed, 134 insertions(+), 8 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/1c4831dd/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/AuthenticationProviderService.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/AuthenticationProviderService.java b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/AuthenticationProviderService.java index f3870a6..0422d30 100644 --- a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/AuthenticationProviderService.java +++ b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/AuthenticationProviderService.java @@ -21,11 +21,26 @@ package org.apache.guacamole.auth.cas; import com.google.inject.Inject; import com.google.inject.Provider; +import java.io.BufferedInputStream; +import java.io.File; +import java.io.FileInputStream; +import java.io.FileNotFoundException; +import java.io.InputStream; +import java.io.IOException; +import java.security.InvalidKeyException; +import java.security.KeyFactory; +import java.security.NoSuchAlgorithmException; +import java.security.PrivateKey; +import java.security.spec.KeySpec; +import java.security.spec.PKCS8EncodedKeySpec; import java.util.Arrays; import java.util.Enumeration; +import javax.crypto.Cipher; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpSession; +import javax.xml.bind.DatatypeConverter; import org.apache.guacamole.GuacamoleException; +import org.apache.guacamole.environment.LocalEnvironment; import org.apache.guacamole.form.Field; import org.apache.guacamole.net.auth.Credentials; import org.apache.guacamole.net.auth.credentials.CredentialsInfo; @@ -34,6 +49,9 @@ import org.apache.guacamole.auth.cas.conf.ConfigurationService; import org.apache.guacamole.auth.cas.form.CASTicketField; import org.apache.guacamole.auth.cas.ticket.TicketValidationService; import org.apache.guacamole.auth.cas.user.AuthenticatedUser; +import org.jasig.cas.client.authentication.AttributePrincipal; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; /** * Service providing convenience functions for the CAS AuthenticationProvider @@ -42,6 +60,11 @@ import org.apache.guacamole.auth.cas.user.AuthenticatedUser; public class AuthenticationProviderService { /** + * Logger for this class. + */ + private static final Logger logger = LoggerFactory.getLogger(AuthenticationProviderService.class); + + /** * Service for retrieving CAS configuration information. */ @Inject @@ -83,7 +106,13 @@ public class AuthenticationProviderService { String ticket = request.getParameter(CASTicketField.PARAMETER_NAME); if (ticket != null) { AuthenticatedUser authenticatedUser = authenticatedUserProvider.get(); - authenticatedUser.init(ticketService.processUsername(ticket), credentials); + AttributePrincipal principal = ticketService.validateTicket(ticket); + String username = principal.getName(); + credentials.setUsername(username); + String clearPass = decryptPassword(principal.getAttributes().get("credential").toString()); + if (clearPass != null && !clearPass.isEmpty()) + credentials.setPassword(clearPass); + authenticatedUser.init(username, credentials); return authenticatedUser; } } @@ -105,4 +134,76 @@ public class AuthenticationProviderService { } + /** + * Takes an encrypted string representing a password provided by + * the CAS ClearPass service and decrypts it using the private + * key configured for this extension. Returns null if it is + * unable to decrypt the password. + * + * @param encryptedPassword + * A string with the encrypted password provided by the + * CAS service. + * + * @return + * The decrypted password, or null if it is unable to + * decrypt the password. + * @throws GuacamoleException + * If unable to get Guacamole configuration data + */ + private final String decryptPassword(String encryptedPassword) + throws GuacamoleException { + + // If we get nothing, we return nothing. + if (encryptedPassword == null || encryptedPassword.isEmpty()) + return null; + + try { + + // Open and read the file specified in the configuration. + File keyFile = new File(new LocalEnvironment().getGuacamoleHome(), confService.getClearpassKey().toString()); + InputStream keyInput = new BufferedInputStream(new FileInputStream(keyFile)); + final byte[] keyBytes = new byte[(int) keyFile.length()]; + keyInput.read(keyBytes); + keyInput.close(); + + // Set up decryption infrastructure + KeyFactory keyFactory = KeyFactory.getInstance("RSA"); + KeySpec keySpec = new PKCS8EncodedKeySpec(keyBytes); + final PrivateKey privateKey = keyFactory.generatePrivate(keySpec); + final Cipher cipher = Cipher.getInstance(privateKey.getAlgorithm()); + final byte[] pass64 = DatatypeConverter.parseBase64Binary(encryptedPassword); + cipher.init(Cipher.DECRYPT_MODE, privateKey); + + // Decrypt and return a new string. + final byte[] cipherData = cipher.doFinal(pass64); + return new String(cipherData); + } + catch (FileNotFoundException e) { + logger.error("ClearPass key file not found, password will not be decrypted."); + logger.debug("Error locating the ClearPass key file: {}", e.getMessage()); + return null; + } + catch (IOException e) { + logger.error("Error reading ClearPass key file, password will not be decrypted."); + logger.debug("Error reading the ClearPass key file: {}", e.getMessage()); + return null; + } + catch (NoSuchAlgorithmException e) { + logger.error("Unable to find the specified algorithm, password will not be decrypted."); + logger.debug("Algorithm was not found: {}", e.getMessage()); + return null; + } + catch (InvalidKeyException e) { + logger.error("Invalid key was loaded, password will not be decrypted."); + logger.debug("The loaded key was invalid: {}", e.getMessage()); + return null; + } + catch (Throwable t) { + logger.error("Error decrypting password, it will not be available as a token."); + logger.debug("Error in one of the components to decrypt the password: {}", t.getMessage()); + return null; + } + + } + } http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/1c4831dd/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/CASGuacamoleProperties.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/CASGuacamoleProperties.java b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/CASGuacamoleProperties.java index 00fb901..410e848 100644 --- a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/CASGuacamoleProperties.java +++ b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/CASGuacamoleProperties.java @@ -19,6 +19,7 @@ package org.apache.guacamole.auth.cas.conf; +import org.apache.guacamole.properties.FileGuacamoleProperty; import org.apache.guacamole.properties.StringGuacamoleProperty; /** @@ -57,4 +58,16 @@ public class CASGuacamoleProperties { }; + /** + * The location of the private key file used to retrieve the + * password if CAS is configured to support ClearPass. + */ + public static final FileGuacamoleProperty CAS_CLEARPASS_KEY = + new FileGuacamoleProperty() { + + @Override + public String getName() { return "cas-clearpass-key"; } + + }; + } http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/1c4831dd/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/ConfigurationService.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/ConfigurationService.java b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/ConfigurationService.java index 17be2d3..b2d74d5 100644 --- a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/ConfigurationService.java +++ b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/ConfigurationService.java @@ -20,6 +20,7 @@ package org.apache.guacamole.auth.cas.conf; import com.google.inject.Inject; +import java.io.File; import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.environment.Environment; @@ -68,4 +69,20 @@ public class ConfigurationService { return environment.getRequiredProperty(CASGuacamoleProperties.CAS_REDIRECT_URI); } + /** + * Returns the path to the file that contains the private key + * used to decrypt the credential that is sent encrypted by CAS, + * or null if no key is defined. + * + * @return + * The path to the private key to decrypt the ClearPass + * credential returned by CAS. + * + * @throws GuacamoleException + * If guacamole.properties cannot be parsed. + */ + public File getClearpassKey() throws GuacamoleException { + return environment.getProperty(CASGuacamoleProperties.CAS_CLEARPASS_KEY); + } + } http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/1c4831dd/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/ticket/TicketValidationService.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/ticket/TicketValidationService.java b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/ticket/TicketValidationService.java index 9644c68..fca2ccf 100644 --- a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/ticket/TicketValidationService.java +++ b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/ticket/TicketValidationService.java @@ -57,9 +57,7 @@ public class TicketValidationService { * If the ID ticket is not valid, the username claim type is missing, or * guacamole.properties could not be parsed. */ - public String processUsername(String ticket) throws GuacamoleException { - - AttributePrincipal principal = null; + public AttributePrincipal validateTicket(String ticket) throws GuacamoleException { // Retrieve the configured CAS URL, establish a ticket validator, // and then attempt to validate the supplied ticket. If that succeeds, @@ -70,15 +68,12 @@ public class TicketValidationService { try { String confRedirectURI = confService.getRedirectURI(); Assertion a = validator.validate(ticket, confRedirectURI); - principal = a.getPrincipal(); + return a.getPrincipal(); } catch (TicketValidationException e) { throw new GuacamoleException("Ticket validation failed.", e); } - // Return the principal name as the username. - return principal.getName(); - } }