GUACAMOLE-362: Change new property to a PrivateKey and refactor code accordingly.
Project: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/commit/badbf4cc Tree: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/tree/badbf4cc Diff: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/diff/badbf4cc Branch: refs/heads/master Commit: badbf4cc7dd1436be8d94e3f346829bcbb9e46ca Parents: ed4c025 Author: Nick Couchman <vn...@apache.org> Authored: Sun Sep 24 15:58:09 2017 -0400 Committer: Nick Couchman <nick.couch...@yahoo.com> Committed: Fri Oct 27 13:05:12 2017 -0400 ---------------------------------------------------------------------- .../auth/cas/AuthenticationProviderService.java | 33 ++++--- .../auth/cas/conf/CASGuacamoleProperties.java | 6 +- .../auth/cas/conf/ConfigurationService.java | 4 +- .../properties/CipherGuacamoleProperty.java | 95 -------------------- .../properties/PrivateKeyGuacamoleProperty.java | 81 +++++++++++++++++ 5 files changed, 106 insertions(+), 113 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/badbf4cc/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/AuthenticationProviderService.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/AuthenticationProviderService.java b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/AuthenticationProviderService.java index da32f72..22a63bd 100644 --- a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/AuthenticationProviderService.java +++ b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/AuthenticationProviderService.java @@ -44,6 +44,7 @@ import javax.xml.bind.DatatypeConverter; import org.apache.guacamole.environment.Environment; import org.apache.guacamole.form.Field; import org.apache.guacamole.GuacamoleException; +import org.apache.guacamole.GuacamoleServerException; import org.apache.guacamole.net.auth.Credentials; import org.apache.guacamole.net.auth.credentials.CredentialsInfo; import org.apache.guacamole.net.auth.credentials.GuacamoleInsufficientCredentialsException; @@ -166,32 +167,38 @@ public class AuthenticationProviderService { throws GuacamoleException { // If we get nothing, we return nothing. - if (encryptedPassword == null || encryptedPassword.isEmpty()) + if (encryptedPassword == null || encryptedPassword.isEmpty()) { + logger.warn("No or empty encrypted password, no password will be available."); return null; + } + + final PrivateKey clearpassKey = confService.getClearpassKey(); + if (clearpassKey == null) { + logger.warn("No private key available to decrypt password."); + return null; + } try { - final Cipher cipher = confService.getClearpassCipher(); + final Cipher cipher = Cipher.getInstance(clearpassKey.getAlgorithm()); - if (cipher != null) { + if (cipher == null) + throw new GuacamoleServerException("Failed to initialize cipher object with private key."); - // Decode and decrypt, and return a new string. - final byte[] pass64 = DatatypeConverter.parseBase64Binary(encryptedPassword); - final byte[] cipherData = cipher.doFinal(pass64); - return new String(cipherData); + // Initialize the Cipher in decrypt mode. + cipher.init(Cipher.DECRYPT_MODE, clearpassKey); - } + // Decode and decrypt, and return a new string. + final byte[] pass64 = DatatypeConverter.parseBase64Binary(encryptedPassword); + final byte[] cipherData = cipher.doFinal(pass64); + return new String(cipherData); } catch (Throwable t) { - logger.error("Failed to decrypt the data, password token will not be available."); logger.debug("Failed to either convert Base64 or decrypt the password. CAS Password will not be available inside Guacamole. Exception is: {}", t); - return null; + throw new GuacamoleServerException("Failed to decrypt CAS ClearPass password.", t); } - logger.warn("Encrypted password provided by CAS, but no Private Key was available to decrypt it."); - return null; - } } http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/badbf4cc/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/CASGuacamoleProperties.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/CASGuacamoleProperties.java b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/CASGuacamoleProperties.java index 7a600c9..aa4a06e 100644 --- a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/CASGuacamoleProperties.java +++ b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/CASGuacamoleProperties.java @@ -19,7 +19,7 @@ package org.apache.guacamole.auth.cas.conf; -import org.apache.guacamole.properties.CipherGuacamoleProperty; +import org.apache.guacamole.properties.PrivateKeyGuacamoleProperty; import org.apache.guacamole.properties.StringGuacamoleProperty; /** @@ -62,8 +62,8 @@ public class CASGuacamoleProperties { * The location of the private key file used to retrieve the * password if CAS is configured to support ClearPass. */ - public static final CipherGuacamoleProperty CAS_CLEARPASS_KEY = - new CipherGuacamoleProperty() { + public static final PrivateKeyGuacamoleProperty CAS_CLEARPASS_KEY = + new PrivateKeyGuacamoleProperty() { @Override public String getName() { return "cas-clearpass-key"; } http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/badbf4cc/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/ConfigurationService.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/ConfigurationService.java b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/ConfigurationService.java index ba969d4..409097e 100644 --- a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/ConfigurationService.java +++ b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/ConfigurationService.java @@ -21,7 +21,7 @@ package org.apache.guacamole.auth.cas.conf; import com.google.inject.Inject; import java.io.File; -import javax.crypto.Cipher; +import java.security.PrivateKey; import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.environment.Environment; @@ -82,7 +82,7 @@ public class ConfigurationService { * @throws GuacamoleException * If guacamole.properties cannot be parsed. */ - public Cipher getClearpassCipher() throws GuacamoleException { + public PrivateKey getClearpassKey() throws GuacamoleException { return environment.getProperty(CASGuacamoleProperties.CAS_CLEARPASS_KEY); } http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/badbf4cc/guacamole-ext/src/main/java/org/apache/guacamole/properties/CipherGuacamoleProperty.java ---------------------------------------------------------------------- diff --git a/guacamole-ext/src/main/java/org/apache/guacamole/properties/CipherGuacamoleProperty.java b/guacamole-ext/src/main/java/org/apache/guacamole/properties/CipherGuacamoleProperty.java deleted file mode 100644 index d4d763f..0000000 --- a/guacamole-ext/src/main/java/org/apache/guacamole/properties/CipherGuacamoleProperty.java +++ /dev/null @@ -1,95 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.guacamole.properties; - -import java.io.BufferedInputStream; -import java.io.File; -import java.io.FileInputStream; -import java.io.FileNotFoundException; -import java.io.InputStream; -import java.io.IOException; -import java.lang.IllegalArgumentException; -import java.security.InvalidKeyException; -import java.security.KeyFactory; -import java.security.NoSuchAlgorithmException; -import java.security.PrivateKey; -import java.security.spec.InvalidKeySpecException; -import java.security.spec.KeySpec; -import java.security.spec.PKCS8EncodedKeySpec; -import javax.crypto.Cipher; -import javax.crypto.NoSuchPaddingException; -import org.apache.guacamole.GuacamoleException; -import org.apache.guacamole.environment.Environment; -import org.apache.guacamole.environment.LocalEnvironment; - -/** - * A GuacamoleProperty whose value is derived from a private key file. - */ -public abstract class CipherGuacamoleProperty implements GuacamoleProperty<Cipher> { - - @Override - public Cipher parseValue(String value) throws GuacamoleException { - - if (value == null || value.isEmpty()) - return null; - - try { - - final Environment environment = new LocalEnvironment(); - - // Open and read the file specified in the configuration. - File keyFile = new File(environment.getGuacamoleHome(), value); - InputStream keyInput = new BufferedInputStream(new FileInputStream(keyFile)); - final byte[] keyBytes = new byte[(int) keyFile.length()]; - keyInput.read(keyBytes); - keyInput.close(); - - // Set up decryption infrastructure - KeyFactory keyFactory = KeyFactory.getInstance("RSA"); - KeySpec keySpec = new PKCS8EncodedKeySpec(keyBytes); - final PrivateKey privateKey = keyFactory.generatePrivate(keySpec); - final Cipher cipher = Cipher.getInstance(privateKey.getAlgorithm()); - cipher.init(Cipher.DECRYPT_MODE, privateKey); - - return cipher; - - } - catch (FileNotFoundException e) { - throw new GuacamoleException("Could not find the specified key file.", e); - } - catch (IOException e) { - throw new GuacamoleException("Could not read in the specified key file.", e); - } - catch (NoSuchAlgorithmException e) { - throw new GuacamoleException("Specified algorithm does not exist.", e); - } - catch (InvalidKeyException e) { - throw new GuacamoleException("Specified key is invalid.", e); - } - catch (InvalidKeySpecException e) { - throw new GuacamoleException("Invalid KeySpec initialization.", e); - } - catch (NoSuchPaddingException e) { - throw new GuacamoleException("No such padding exception.", e); - } - - } - -} http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/badbf4cc/guacamole-ext/src/main/java/org/apache/guacamole/properties/PrivateKeyGuacamoleProperty.java ---------------------------------------------------------------------- diff --git a/guacamole-ext/src/main/java/org/apache/guacamole/properties/PrivateKeyGuacamoleProperty.java b/guacamole-ext/src/main/java/org/apache/guacamole/properties/PrivateKeyGuacamoleProperty.java new file mode 100644 index 0000000..904a4d1 --- /dev/null +++ b/guacamole-ext/src/main/java/org/apache/guacamole/properties/PrivateKeyGuacamoleProperty.java @@ -0,0 +1,81 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.guacamole.properties; + +import java.io.BufferedInputStream; +import java.io.File; +import java.io.FileInputStream; +import java.io.FileNotFoundException; +import java.io.InputStream; +import java.io.IOException; +import java.lang.IllegalArgumentException; +import java.security.InvalidKeyException; +import java.security.KeyFactory; +import java.security.NoSuchAlgorithmException; +import java.security.PrivateKey; +import java.security.spec.InvalidKeySpecException; +import java.security.spec.KeySpec; +import java.security.spec.PKCS8EncodedKeySpec; +import org.apache.guacamole.GuacamoleServerException; +import org.apache.guacamole.environment.Environment; +import org.apache.guacamole.environment.LocalEnvironment; + +/** + * A GuacamoleProperty whose value is derived from a private key file. + */ +public abstract class PrivateKeyGuacamoleProperty implements GuacamoleProperty<PrivateKey> { + + @Override + public PrivateKey parseValue(String value) throws GuacamoleServerException { + + if (value == null || value.isEmpty()) + return null; + + try { + + // Open and read the file specified in the configuration. + File keyFile = new File(value); + InputStream keyInput = new BufferedInputStream(new FileInputStream(keyFile)); + final byte[] keyBytes = new byte[(int) keyFile.length()]; + keyInput.read(keyBytes); + keyInput.close(); + + // Set up decryption infrastructure + KeyFactory keyFactory = KeyFactory.getInstance("RSA"); + KeySpec keySpec = new PKCS8EncodedKeySpec(keyBytes); + return keyFactory.generatePrivate(keySpec); + + } + catch (FileNotFoundException e) { + throw new GuacamoleServerException("Could not find the specified key file.", e); + } + catch (IOException e) { + throw new GuacamoleServerException("Could not read in the specified key file.", e); + } + catch (NoSuchAlgorithmException e) { + throw new GuacamoleServerException("Specified algorithm does not exist.", e); + } + catch (InvalidKeySpecException e) { + throw new GuacamoleServerException("Invalid KeySpec initialization.", e); + } + + } + +}