[GitHub] incubator-guacamole-client pull request #183: GUACAMOLE-362: Add support for...

[necouchman]

Github user necouchman commented on a diff in the pull request:

    
https://github.com/apache/incubator-guacamole-client/pull/183#discussion_r140666346
  
    --- Diff: 
guacamole-ext/src/main/java/org/apache/guacamole/properties/CipherGuacamoleProperty.java
 ---
    @@ -0,0 +1,92 @@
    +/*
    + * Licensed to the Apache Software Foundation (ASF) under one
    + * or more contributor license agreements.  See the NOTICE file
    + * distributed with this work for additional information
    + * regarding copyright ownership.  The ASF licenses this file
    + * to you under the Apache License, Version 2.0 (the
    + * "License"); you may not use this file except in compliance
    + * with the License.  You may obtain a copy of the License at
    + *
    + *   http://www.apache.org/licenses/LICENSE-2.0
    + *
    + * Unless required by applicable law or agreed to in writing,
    + * software distributed under the License is distributed on an
    + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
    + * KIND, either express or implied.  See the License for the
    + * specific language governing permissions and limitations
    + * under the License.
    + */
    +
    +package org.apache.guacamole.properties;
    +
    +import java.io.BufferedInputStream;
    +import java.io.File;
    +import java.io.FileInputStream;
    +import java.io.FileNotFoundException;
    +import java.io.InputStream;
    +import java.io.IOException;
    +import java.lang.IllegalArgumentException;
    +import java.security.InvalidKeyException;
    +import java.security.KeyFactory;
    +import java.security.NoSuchAlgorithmException;
    +import java.security.PrivateKey;
    +import java.security.spec.InvalidKeySpecException;
    +import java.security.spec.KeySpec;
    +import java.security.spec.PKCS8EncodedKeySpec;
    +import javax.crypto.Cipher;
    +import javax.crypto.NoSuchPaddingException;
    +import org.apache.guacamole.GuacamoleException;
    +import org.apache.guacamole.environment.Environment;
    +import org.apache.guacamole.environment.LocalEnvironment;
    +
    +/**
    + * A GuacamoleProperty whose value is derived from a private key file.
    + */
    +public abstract class CipherGuacamoleProperty implements 
GuacamoleProperty<Cipher>  {
    +
    +    @Override
    +    public Cipher parseValue(String value) throws GuacamoleException {
    +
    +        try {
    +
    +            final Environment environment = new LocalEnvironment();
    +
    +            // Open and read the file specified in the configuration.
    +            File keyFile = new File(environment.getGuacamoleHome(), value);
    +            InputStream keyInput = new BufferedInputStream(new 
FileInputStream(keyFile));
    +            final byte[] keyBytes = new byte[(int) keyFile.length()];
    +            keyInput.read(keyBytes);
    +            keyInput.close();
    +
    +            // Set up decryption infrastructure
    +            KeyFactory keyFactory = KeyFactory.getInstance("RSA");
    +            KeySpec keySpec = new PKCS8EncodedKeySpec(keyBytes);
    +            final PrivateKey privateKey = 
keyFactory.generatePrivate(keySpec);
    +            final Cipher cipher = 
Cipher.getInstance(privateKey.getAlgorithm());
    +            cipher.init(Cipher.DECRYPT_MODE, privateKey);
    +
    +            return cipher;
    +
    +        }
    +        catch (FileNotFoundException e) {
    +            throw new GuacamoleException("Could not find the specified key 
file.", e);
    +        }
    +        catch (IOException e) {
    +            throw new GuacamoleException("Could not read in the specified 
key file.", e);
    +        }
    +        catch (NoSuchAlgorithmException e) {
    +            throw new GuacamoleException("Specified algorithm does not 
exist.", e);
    +        }
    +        catch (InvalidKeyException e) {
    +            throw new GuacamoleException("Specified key is invalid.", e);
    +        }
    +        catch (InvalidKeySpecException e) {
    +            throw new GuacamoleException("Invalid KeySpec 
initialization.", e);
    +        }
    +        catch (NoSuchPaddingException e) {
    +            throw new GuacamoleException("No such padding exception.", e);
    +        }
    +
    --- End diff --
    
    So, I've redone most of this such that it throws the 
GuacamoleServerException.  There are two scenarios I can think of where having 
authentication succeed despite some error in the ClearPass decryption process 
would be desirable:
    - If the credentials object is provided by the CAS server, but the 
Guacamole admin has not configured a private key, I think authentication should 
still succeed.  Since, in many organizations, SSO is run by someone different 
than a VDI/Desktop/RemoteAccess person, it's conceivable that the CAS server 
may provide something we choose not to consume, and that should not cause an 
error.
    - Where the Guacamole admin has configured a PrivateKey, but CAS is not 
providing a value for the credential parameter.  Again, with the potential for 
CAS and Guacamole to be run by different admins/groups, or for different users 
within CAS to have different policies applied, it's conceivable that the 
GuacamoleAdmin configures a PrivateKey file for this purpose, but the attribute 
is blank/null.
    
    Is my logic sound there?


---